Re: netbsd-7 ipfilter failure?

[6bone%6bone.informatik.uni-leipzig.de@localhost]

Hello,

I would like to once again ask for the ip filter problem. Is this a bug or 
an incorrect operation of me? Does it make sense to report it as a bug?

With best regards
Uwe


On Wed, 29 Oct 2014, 6bone%6bone.informatik.uni-leipzig.de@localhost wrote:

> Date: Wed, 29 Oct 2014 14:58:41 +0100 (CET)
> From: 6bone%6bone.informatik.uni-leipzig.de@localhost
> To: Robert Swindells <rjs%fdy2.co.uk@localhost>
> Cc: gdt%ir.bbn.com@localhost, apb%cequrux.com@localhost, current-users%netbsd.org@localhost
> Subject: Re: netbsd-7 ipfilter failure?
>
> On Wed, 29 Oct 2014, Robert Swindells wrote:
>
> > Date: Wed, 29 Oct 2014 12:54:51 +0000 (GMT)
> > From: Robert Swindells <rjs%fdy2.co.uk@localhost>
> > To: gdt%ir.bbn.com@localhost
> > Cc: apb%cequrux.com@localhost, current-users%netbsd.org@localhost
> > Subject: Re: netbsd-7 ipfilter failure?
> >
> >
> > Greg Troxel wrote:
> > > Alan Barrett <apb%cequrux.com@localhost> writes:
> > >
> > > > I can't find any documentation for the /etc/ipf6.conf file, so I don't
> > > > know what the intended semantics of /etc/ipf6.conf are. ("man
> > > > ipf6.conf" simply displays the ipf.conf man page, which does not
> > > > explain the ipf6.conf file.)  The implementation in /etc/rc.d/ipfilter
> > > > loads the ipf6.conf file with ipf(8) commands that use the "-6"
> > > > command line option, which is documented as "This option is required
> > > > to parse IPv6 rules and to have them loaded."
> > > >
> > > > The "-6" option is not documented to imply that any rules in the file
> > > > are IPv6-only, so I think it's wrong to assume that rules in
> > > > /etc/ip6.conf are IPv6 firewall rules; they are simply firewall rules
> > > > that might or might not apply to IPv6, and you should further qualify
> > > > the rules with "family" clauses that match the desired address family,
> > > > or "from" or "to" clauses that imply an address family.
> > >
> > > My impression has always been that ipf6.conf is loaded with -6 and
> > > contains only IPv6 rules, and that ipf.conf is loaded without -6 and
> > > contains only IPv4 rules.  I have not found this confusing or
> > > troublesome.  On some systems I have fairly different v4 and v6 rules,
> > > and they have worked as expected (from a 2-table separate-world POV).
> > >
> > > Is there actually only one ruleset?   Are rules loaded with -6 actually
> > > evaluated for IPv4 packets?
> >
> > There is only one ruleset and should be only one rule file, see this
> > email from Darren Reed:
>
> Maybe ipfilter not right evaluates the address family of <any> <any> rules?
>
> > <http://mail-index.netbsd.org/tech-net/2012/10/28/msg003697.html>
> >
> > Robert Swindells
>
> Uwe