ipfw2 for IPV6

Andre Oppermann andre at freebsd.org
Fri Sep 10 12:20:30 PDT 2004 

Brooks Davis wrote:
> 
> On Mon, Sep 06, 2004 at 01:09:57AM +0200, Andre Oppermann wrote:
> > Brooks Davis wrote:
> > >
> > > I'm working on updating the IPFW2 for IPv6 patch Luigi posted back in
> > > April.  I've got it partially working with pfil, but I've run into some
> > > issues with linklocal addresses and dummynet6.  Inbound rules work fine,
> > > but output rules do not because the route struct is not carried in to
> > > the pfil hook and thus the output interface is lost.
> >
> > You are supposed to give the output interface as an argument to pfil_run_
> > hooks().  Doesn't that sufficise?
> 
> I've been thinking about this and I think the problme is that we need
> to pass the route in to ip6_output in the link local address case.  I
> think we can generate it in dummynet (at least I hope we can), but I
> need to figure that out.  I'm going to read some more code today and

I've just killed any route knowledge from dummynet and it should stay
that way.  (Before it was a really nasty, but required, hack.)

What you could do is to attach an mtag to the IPv6 packet containing
the pointer to the rtentry you want to pass along with it.  You need to
write your own mtag-free routine for this one because if the mtag gets
deleted the refcount on the rtentry *must* be decremented.  If you don't
do it through a specific mtag-free routing this won't be done for the
cases where an m_freem is done.

> I've got the Design and Implementaiton book coming next week.  At this
> point it's probably the best doc around since no one has updated TCP/IP
> Illustrated v2 yet (I'd love to see a new version based on FreeBSD 6).

There is nothing special regarding this in the book.  I know, I've tech-
reviewed the networking chapters. ;-)

> > I guess the best thing is to involve <gnn at neville-neil.org> into this.
> > He's cutting his teeth on the IPv6 code and this is probably something
> > he can give some insights.
> 
> I'm talking to him (rwatson noticed my branch and pointed him to it).
> 
> > PS: What about ipfw6?
> 
> Robert wants to kill it off so we don't have to lock it.  As Luigi says,
> it's redundent once ipfw support IPv6.

Ok, good.

-- 
Andre

More information about the freebsd-ipfw mailing list