ipfw oddity/bug? ipv6 != protocol 41

[Thomas Sandford]

On 28/11/2010 01:24, Graham Menhennitt wrote:
> Hi all,
>
> I've found something that I think is a bug in ipfw. At the very least,
> it contradicts the man page and a number of web sites. It's also
> different behaviour from a few months ago.
>
> I have a IPV6 tunnel connection to Hurricane Electric that I use every
> now and then. When I want to use it, I manually enable it in ipfw and
> then disable it again afterwards. After a recent csup and new world and
> kernel, it stopped working. The script output below shows the problem.
>
> I start with IPv6 disallowed by ipfw as can be seen in the first failed
> ping6. Normally, I then allow ipv6 and the ping6 should work. But it
> seems that ipv6 isn't what it used to be. I need to explicitly use the
> protocol number (41) to get it to work. According to the ipfw man page,
> ip6 and ipv6 are the same thing, and it implies that they should both be
> the same as "41". Obviously they're not.
>
> So, when you add a rule with "ipv6" or "ip6" in it, "ipfw list" displays
> it as "ip6". When you enter a rule with "41" in it, it displays as
> "ipv6". Very confusing!
>
> I can't see any option to get "ipfw list" to output numeric values
> rather than protocol names, but moving /etc/protocols aside seems to do
> the trick. You can see from the last ipfw output that ip6 is the same as
> ipv6, but they're not the same as 41.
>
> I did a few google searches for "ipfw, freebsd, ipv6" and a number of
> sites say that you just do "allow ipv6 from any to any" to get it
> working. That's what I used to do too, but it doesn't work any more.
>
> I'm running 8-Stable csupped yesterday on i386: FreeBSD
> maxwell.mencon.com.au 8.2-PRERELEASE FreeBSD 8.2-PRERELEASE #28: Sun Nov
> 28 07:44:12 EST 2010
> root at chief-freebsd.mencon.com.au:/usr/obj/usr/src/sys/maxwell  i386.
>
> Does anybody have any ideas, please?
>
> Thanks,
>      Graham
>
> Script output (with a few irrelevant bits trimmed, and some blank lines
> inserted for clarity):
>
> Script started on Sun Nov 28 11:26:27 2010
>
> root at maxwell% ipfw list 50
> ipfw: rule 50 does not exist
>
> root at maxwell% ping6 www.kame.net
> PING6(56=40+8+8 bytes) 2001:470:1f04:35d::2 -->
> 2001:200:dff:fff1:216:3eff:feb1:44d7
> ping6: sendmsg: Permission denied
>
> root at maxwell% ipfw add 50 allow ipv6 from any to any
> 00050 allow ip6 from any to any
>
> root at maxwell% ipfw list 50
> 00050 allow ip6 from any to any
>
> root at maxwell% ping6 www.kame.net
> PING6(56=40+8+8 bytes) 2001:470:1f04:35d::2 -->
> 2001:200:dff:fff1:216:3eff:feb1:44d7
> ping6: sendmsg: Permission denied
>
> root at maxwell% ipfw add 50 allow ip6 from any to any
> 00050 allow ip6 from any to any
>
> root at maxwell% ipfw list 50
> 00050 allow ip6 from any to any
> 00050 allow ip6 from any to any
>
> root at maxwell% ping6 www.kame.net
> PING6(56=40+8+8 bytes) 2001:470:1f04:35d::2 -->
> 2001:200:dff:fff1:216:3eff:feb1:44d7
> ping6: sendmsg: Permission denied
>
> root at maxwell% ipfw add 50 allow 41 from any to any
> 00050 allow ipv6 from any to any
>
> root at maxwell% ping6 www.kame.net
> PING6(56=40+8+8 bytes) 2001:470:1f04:35d::2 -->
> 2001:200:dff:fff1:216:3eff:feb1:44d7
> 16 bytes from 2001:200:dff:fff1:216:3eff:feb1:44d7, icmp_seq=0 hlim=56
> time=291.889 ms
>
> root at maxwell% ipfw list 50
> 00050 allow ip6 from any to any
> 00050 allow ip6 from any to any
> 00050 allow ipv6 from any to any
>
> root at maxwell% mv /etc/protocols /etc/protocols_save
>
> root at maxwell% ipfw list 50
> 00050 allow ip6 from any to any
> 00050 allow ip6 from any to any
> 00050 allow 41 from any to any
> root at maxwell% exit
>
> Script done on Sun Nov 28 11:28:22 2010

Protocol 41 is IPv6 in IP tunnelling, which is what HE uses to get the 
IPv6 to you.

So
00050 allow 41 from any to any
allows the IP(v4) packets encapsulating the IPv6 traffic to reach you,

00050 allow ip6 from any to any
00050 allow ip6 from any to any
allow the actual IPv6 traffic to/from your local network.

-- 
Thomas Sandford