netbsd-bugs: kern/28662: 'rdr ti0 0.0.0.0/0 port 80 ->..' matches ipv6 addresses in ipfilter 4.1.3

Subject: kern/28662: 'rdr ti0 0.0.0.0/0 port 80 ->..' matches ipv6 addresses in ipfilter 4.1.3
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: Markus W Kilbinger <kilbi@rad.rwth-aachen.de>
List: netbsd-bugs
Date: 12/15/2004 01:38:00

>Number:         28662
>Category:       kern
>Synopsis:       'rdr ti0 0.0.0.0/0 port 80 ->..' matches ipv6 addresses in ipfilter 4.1.3
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Dec 15 01:38:00 +0000 2004
>Originator:     kilbi@rad.rwth-aachen.de
>Release:        NetBSD 2.99.11
>Organization:
>Environment:
	
	
System: NetBSD mogli 2.99.11 NetBSD 2.99.11 (MOGLI) #0: Tue Dec 14 15:39:46 MET 2004 root@lwle5:/usr/src/sys/arch/i386/compile/MOGLI i386
Architecture: i386
Machine: i386
>Description:
	While setting up squid's transparent proxying with ipfilter on
	a ipv6 capable firewall I noticed that ipnat rules like

	  rdr ti0 0.0.0.0/0 port 80 -> localhost port 3128 tcp

	seem to match ipv6 addresses, too!?

	While ipv4 http request from intern (ti0) are correctly
	redirected to squid's port (3128) on localhost all ipv6 http
	request do not pass the firewall at all. ipv6 request to other
	ports work fine.

	Just disabling the above mentioned ipnat rule make ipv6 http
	request work again.

	So, my conclusion is that the '0.0.0.0/0' ipv4 wildcard
	matches falsely ipv6 addresses, too.
>How-To-Repeat:
	See description
>Fix:
	n/a

>Unformatted: