Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: netbsd-7 ipfilter failure?



Hello,

I would like to once again ask for the ip filter problem. Is this a bug or an incorrect operation of me? Does it make sense to report it as a bug?

With best regards
Uwe


On Wed, 29 Oct 2014, 6bone%6bone.informatik.uni-leipzig.de@localhost wrote:

Date: Wed, 29 Oct 2014 14:58:41 +0100 (CET)
From: 6bone%6bone.informatik.uni-leipzig.de@localhost
To: Robert Swindells <rjs%fdy2.co.uk@localhost>
Cc: gdt%ir.bbn.com@localhost, apb%cequrux.com@localhost, current-users%netbsd.org@localhost
Subject: Re: netbsd-7 ipfilter failure?

On Wed, 29 Oct 2014, Robert Swindells wrote:

Date: Wed, 29 Oct 2014 12:54:51 +0000 (GMT)
From: Robert Swindells <rjs%fdy2.co.uk@localhost>
To: gdt%ir.bbn.com@localhost
Cc: apb%cequrux.com@localhost, current-users%netbsd.org@localhost
Subject: Re: netbsd-7 ipfilter failure?


Greg Troxel wrote:
Alan Barrett <apb%cequrux.com@localhost> writes:

I can't find any documentation for the /etc/ipf6.conf file, so I don't
know what the intended semantics of /etc/ipf6.conf are. ("man
ipf6.conf" simply displays the ipf.conf man page, which does not
explain the ipf6.conf file.)  The implementation in /etc/rc.d/ipfilter
loads the ipf6.conf file with ipf(8) commands that use the "-6"
command line option, which is documented as "This option is required
to parse IPv6 rules and to have them loaded."

The "-6" option is not documented to imply that any rules in the file
are IPv6-only, so I think it's wrong to assume that rules in
/etc/ip6.conf are IPv6 firewall rules; they are simply firewall rules
that might or might not apply to IPv6, and you should further qualify
the rules with "family" clauses that match the desired address family,
or "from" or "to" clauses that imply an address family.

My impression has always been that ipf6.conf is loaded with -6 and
contains only IPv6 rules, and that ipf.conf is loaded without -6 and
contains only IPv4 rules.  I have not found this confusing or
troublesome.  On some systems I have fairly different v4 and v6 rules,
and they have worked as expected (from a 2-table separate-world POV).

Is there actually only one ruleset?   Are rules loaded with -6 actually
evaluated for IPv4 packets?

There is only one ruleset and should be only one rule file, see this
email from Darren Reed:

Maybe ipfilter not right evaluates the address family of <any> <any> rules?

<http://mail-index.netbsd.org/tech-net/2012/10/28/msg003697.html>

Robert Swindells


Uwe



Home | Main Index | Thread Index | Old Index