ipv6 ipfilter with icmp6 and keep state

To: current-users%NetBSD.org@localhost
Subject: ipv6 ipfilter with icmp6 and keep state
From: 6bone%6bone.informatik.uni-leipzig.de@localhost
Date: Wed, 18 Jun 2014 17:28:38 +0200 (CEST)

hello,

I am trying to use ipfilter for ipv6 with icmpv6 and keep state.

If there are no firewall rules entered the router is working properly. Ifyou add a 'pass in on' rule without 'keep state' should work icmpv6 also.If you try a keep-state rule ipv6 icmp packets discarded.



example:

ifconfig vlan927
vlan927: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        vlan: 927 parent: ixg0
        address: a0:36:9f:27:43:30
        inet6 fe80::a236:9fff:fe27:4330%vlan927 prefixlen 64 scopeid 0xc
        inet6 2001:638:902:201b::1 prefixlen 64


ping from 2001:638:902:2000::xxx to 2001:638:902:201b::xxxx works.

now add 'pass in on vlan927 from 2001:638:902:201b::/64 to 2000::/3'

ping from 2001:638:902:2000::xxx to 2001:638:902:201b::xxx works also.

now replace the rule with 'pass in on vlan927 from 2001:638:902:201b::/64to 2000::/3 keep state'


ipfstat -i -o -6
# empty list for ipfilter(out)
pass in on vlan927 inet6 from 2001:638:902:201b::/64 to 2000::/3 keep state

ping from from 2001:638:902:2000::xxx to 2001:638:902:201b::xxx isdropped.



Can someone explain the behavior or is it in an error of ipfilter?


Thank your for your efforts

Regards
Uwe

Prev by Date: cpuctl panic(!)
Next by Date: daily CVS update output
Previous by Thread: cpuctl panic(!)
Next by Thread: daily CVS update output
Indexes:

Home | Main Index | Thread Index | Old Index