Subject: Re: ipf and ipv6 with netbsd 1.5.3_ALPHA
To: Martti Kuparinen <martti.kuparinen@iki.fi>
From: None <xs@nitric.net>
List: tech-net
Date: 02/17/2002 19:46:44
on Sun, Feb 17, 2002 at 03:00:16PM +0200, Martti Kuparinen wrote:
> I found the problem, please apply the following patch:

Thank you!
This appears to only fix it for input traffic though, it doesn't appear
to filter output traffic. I haven't yet been able to test forwarded traffic.

eg:
# ipfstat -io6
block out from any to any
block in from any to any
# ping6 -I gif0 www.netbsd.org
^C
--- www.netbsd.org ping6 statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

But from tcpdump (wrapped):

xx.yy.xx.yy > 206.123.31.114: 3ffe:b80::xxyy:xxyy >
    3ffe:8050:201:1860:290:27ff:feab:19a7: icmp6: echo request (encap)
206.123.31.114 > 217.37.xx.yy: 3ffe:8050:201:1860:290:27ff:feab:19a7 >
    3ffe:b80::xxyy:xxyy: icmp6: echo reply (encap)

and from ipmon (wrapped):

3x gif0 @0:1 b 3ffe:8050:201:1860:290:27ff:feab:19a7 -> 3ffe:b80::xxyy:xxyy PR
        icmpv6 len 40 16 icmpv6 icmpv6type(162)/1 IN

> --- ip6_input.c.orig	Sun Feb 17 11:17:51 2002
> +++ ip6_input.c	Sun Feb 17 13:48:34 2002
> @@ -313,7 +313,7 @@
>  		pfh = NULL;
>  	else
>  		pfh = pfil_hook_get(PFIL_IN,
> -		    &inetsw[ip_protox[IPPROTO_IPV6]].pr_pfh);
> +		    &inet6sw[ip6_protox[IPPROTO_IPV6]].pr_pfh);
>  #else
>  	pfh = pfil_hook_get(PFIL_IN, &inetsw[ip_protox[IPPROTO_IPV6]].pr_pfh);
>  #endif

Should the non-IPsec case be changed to inet6sw too?
(I have options IPSEC.)