kern/89472: ipfw2 no longer supports filtering IPv6-over-IPv4
on 6.0-RELEASE
Gaël Roualland
gael.roualland at dial.oleane.com
Sun Nov 27 21:30:11 GMT 2005
The following reply was made to PR kern/89472; it has been noted by GNATS.
From: =?iso-8859-1?Q?Ga=EBl?= Roualland <gael.roualland at dial.oleane.com>
To: Hajimu UMEMOTO <ume at freebsd.org>
Cc: FreeBSD-gnats-submit at freebsd.org
Subject: Re: kern/89472: ipfw2 no longer supports filtering IPv6-over-IPv4 on
6.0-RELEASE
Date: Sun, 27 Nov 2005 22:27:40 +0100
This is a multi-part message in MIME format.
--------------A3E74D29D65F52E3591BAEAD
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Hajimu UMEMOTO a écrit :
>
> Hi,
>
> >>>>> On Sun, 27 Nov 2005 02:15:05 +0100
> >>>>> Gaël Roualland <gael.roualland at dial.oleane.com> said:
>
> gael> I applied the patch, and 'show' was fine (except for ipv6 instead of
> gael> 41), but it did break my other rules.. Looks like "allow ip from any to
> gael> any" doesn't match anything anymore...
>
> Oops, please try this patch instead.
It seems to work fine with this patch so far (fyi, none of the patches
you sent applied as-is, so I applied it by manually). Thanks.
Regarding the fact that ip6/ipv6 (and ip4/ipv4) cannot be used in the
proto construction, I added a parameter to add_proto to distinguish
between the main rule proto and potential "proto options". The patch is
attached.
Gaël.
--
Gaël Roualland -+- gael.roualland at dial.oleane.com
--------------A3E74D29D65F52E3591BAEAD
Content-Type: text/plain; charset=us-ascii;
name="ipfw2.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="ipfw2.patch"
--- src/sbin/ipfw/ipfw2.c.orig Sun Nov 27 22:25:33 2005
+++ src/sbin/ipfw/ipfw2.c Sun Nov 27 22:24:14 2005
@@ -3590,29 +3590,33 @@ add_mactype(ipfw_insn *cmd, int ac, char
}
static ipfw_insn *
-add_proto(ipfw_insn *cmd, char *av, u_char *proto)
+add_proto(ipfw_insn *cmd, char *av, u_char *proto, int ismain)
{
struct protoent *pe;
*proto = IPPROTO_IP;
- if (_substrcmp(av, "all") == 0)
+ if (_substrcmp(av, "all") == 0 || strcmp(av, "ip") == 0)
; /* do not set O_IP4 nor O_IP6 */
else if (strcmp(av, "ipv4") == 0 || strcmp(av, "ip4") == 0)
- /* explicit "just IPv4" rule */
- fill_cmd(cmd, O_IP4, 0, 0);
+ if (ismain) /* explicit "just IPv4" rule */
+ fill_cmd(cmd, O_IP4, 0, 0);
+ else
+ fill_cmd(cmd, O_PROTO, 0, *proto);
else if (strcmp(av, "ipv6") == 0 || strcmp(av, "ip6") == 0) {
/* explicit "just IPv6" rule */
*proto = IPPROTO_IPV6;
- fill_cmd(cmd, O_IP6, 0, 0);
- } else if ((*proto = atoi(av)) > 0)
- ; /* all done! */
- else if ((pe = getprotobyname(av)) != NULL)
+ if (ismain)
+ fill_cmd(cmd, O_IP6, 0, 0);
+ else
+ fill_cmd(cmd, O_PROTO, 0, *proto);
+ } else if ((*proto = atoi(av)) > 0)
+ fill_cmd(cmd, O_PROTO, 0, *proto);
+ else if ((pe = getprotobyname(av)) != NULL) {
*proto = pe->p_proto;
- else
- return NULL;
- if (*proto != IPPROTO_IP && *proto != IPPROTO_IPV6)
fill_cmd(cmd, O_PROTO, 0, *proto);
+ } else
+ return NULL;
return cmd;
}
@@ -4056,7 +4060,7 @@ add(int ac, char *av[])
OR_START(get_proto);
NOT_BLOCK;
NEED1("missing protocol");
- if (add_proto(cmd, *av, &proto)) {
+ if (add_proto(cmd, *av, &proto, 1)) {
av++; ac--;
if (F_LEN(cmd) != 0) {
prev = cmd;
@@ -4451,7 +4455,7 @@ read_options:
case TOK_PROTO:
NEED1("missing protocol");
- if (add_proto(cmd, *av, &proto)) {
+ if (add_proto(cmd, *av, &proto, 0)) {
ac--; av++;
} else
errx(EX_DATAERR, "invalid protocol ``%s''",
--------------A3E74D29D65F52E3591BAEAD--
More information about the freebsd-ipfw
mailing list