ipfw, ipv6 and gif(4)

Eugene M. Zheganin emz at norma.perm.ru
Tue Feb 8 09:20:39 UTC 2011 

  Hi.

I'm running FreeBSD 8.1-STABLE (I had major issues with em(4) on 
8.1-RELEASE, so I had to upgrade this host to more recent STABLE).

I'm using ipv6-over-ipv4 tunnel.

gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
         tunnel inet 89.250.210.67 --> 216.66.80.26
         inet6 2001:470:1f08:14c0::2 --> 2001:470:1f08:14c0::1 prefixlen 
128
         nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
         options=1<ACCEPT_REV_ETHIP_VER>

In order it to work I have to allow ipv4 packets between these two hosts:

(and these are two first rules in the filter)
00005      14       1072 allow log ip4 from 89.250.210.67 to 
216.66.80.26 out via vlan104
00006      14       1072 allow log ip4 from 216.66.80.26 to 
89.250.210.67 in via vlan104

The thing is, normally (at least in ipv4 world) I would have to allow 
ipencap packets between these hosts (and that's what I did first thing), 
but this configuraion never worked. I've even added 'allow' strings for 
every type of encapsulation from /etc/protocols, just to see their 
counters never changed from zero. Those two rules above were made after 
'ok, let's allow everything just to see in log what does it want' decision.

I want to ask - why ip4 ?

And the log looks even more weird:

%ping6 2001:470:1f08:14c0::1
PING6(56=40+8+8 bytes) 2001:470:1f08:14c0::2 --> 2001:470:1f08:14c0::1
16 bytes from 2001:470:1f08:14c0::1, icmp_seq=0 hlim=64 time=93.917 ms
16 bytes from 2001:470:1f08:14c0::1, icmp_seq=1 hlim=64 time=93.307 ms

Feb  8 13:56:48 ns kernel: ipfw: 5 Accept P:41 89.250.210.67 
216.66.80.26 out via vlan104
Feb  8 13:56:48 ns kernel: ipfw: 6 Accept P:41 216.66.80.26 
89.250.210.67 in via vlan104
Feb  8 13:56:49 ns kernel: ipfw: 5 Accept P:41 89.250.210.67 
216.66.80.26 out via vlan104
Feb  8 13:56:49 ns kernel: ipfw: 6 Accept P:41 216.66.80.26 
89.250.210.67 in via vlan104

As you can see, P:41 is IPv6:

%grep 41 /etc/protocols
ipv6    41      IPV6            # ipv6

And, of course, ipfw doesn't allow me to create the rules it is actually 
logging:

%ipfw add 7 allow 41 from 216.66.80.26 to 89.250.210.67 in via vlan104
ipfw: bad address "216.66.80.26"

Do I misunderstand the concept, or is it how it really should look ?

Thanks.
Eugene.

More information about the freebsd-net mailing list