ipfw rule to match IPv4-in-IPv6 tunneled packets syntax problem

Nikolay Denev nike_d at cytexbg.com
Fri Jan 17 19:32:06 UTC 2014 

On Mon, Jan 6, 2014 at 2:53 AM, John W. O'Brien <john at saltant.com> wrote:
> Hello freebsd-ipfw@,
>
> I just tripped over what seems to be a syntax bug and need some help
> understanding it well enough to submit a PR (or to be dissuaded from
> doing so). A quick look through all PRs matching 'ipfw', open and
> closed, does not reveal a clear duplicate.
>
> Let's say my machine has a physical interface, em0, with IPv4 address
> 192.0.2.1, and a tunneling peer with IPv4 address 198.51.100.2. I also
> have gif0 configured with these tunnel end points and an inner IPv6
> address (which I do not believe is relevant).
>
> I have the following interaction with the machine.
>
> % ipfw add 1000 allow ip4 from 198.51.100.2 to 192.0.2.1 ipv6
> 1000 allow ip4 from 198.51.100.2 to 192.0.2.1 ip6
> % ipfw add 2000 allow ip4 from 198.51.100.2 to 192.0.2.1 proto ipv6
> 2000 allow ip4 from 198.51.100.2 to 192.0.2.1 ipv6
>
> Notice that when I say "ipv6", ipfw responds "ip6", but when I say
> "proto ipv6", ipfw responds "ipv6". Is this an unintended exception, or
> the unintended consequence of grammar implications I just don't fully
> understand?
>
> Next my peer sends me some tunneled traffic---each packet incident upon
> em0 starts with an IPv4 header with the proto field equal to 41,
> followed by an IPv6 header---and I check the rule counters. Rule 1000
> has zero hits, but rule 2000 has all the hits.
>
> What would rule 1000 match?
>
> This is on 9.2-STABLE r260112.
>
> Regards,
> John
>

Just to say me too.

I've banged my head a bit exactly because of this a few days ago.
It was really confusing :

ipfw add allow ip6 from any to any -> shows ip6
ipfw add allow ipv6 from any to any -> shows ip6
ipfw add allow 41 from any to any -> shows ipv6

While it looks like it's tersely documented in ipfw(8):

             ip4 | ipv4  Matches IPv4 packets.

             ip6 | ipv6  Matches IPv6 packets.

             ip | all Matches any packet.

             The ipv6 in proto option will be treated as inner
protocol.  And, the ipv4 is not available in proto option.

It's still confusing.

--Nikolay

More information about the freebsd-ipfw mailing list