Re: ipf.conf vs. ipf6.conf

To: tech-net%netbsd.org@localhost
Subject: Re: ipf.conf vs. ipf6.conf
From: Edgar Fuß <ef%math.uni-bonn.de@localhost>
Date: Thu, 9 Jun 2016 18:55:02 +0200

I also managed to partly answer this one. But there seems to be a bug in how 
ipfstat -6 -[io] displays the rules.

EF> Is my impression correct that rules in ipf.conf (i.e. loaded with ipf 
EF> without -6) only apply to IPv4 while rules in ipf6.conf (i.e. loaded 
EF> via ipf -6) apply only to IPv6. Right?
This indeed seems to be true.

EF> Now, what if rules are added to a non-default group? Are these groups also 
EF> IP version specific or will a packet having matched a "head 100" rule in 
EF> ipf.conf be matched against a "group 100" rule in ipf6.conf?
All rules seem to ve specific to the IP version they were loaded for.
However, ipfstat -6 -[io] seems to erroneously display non-group-zero rules 
from the v4 ruleset. If we did our testing correctly, these rules are only 
displayed, not actually applied to IPv6 traffic.
Note that ipftstat -6 -[io| does NOT display group-zero v4 rules.

Follow-Ups:
- Re: ipf.conf vs. ipf6.conf
  - From: Manuel Bouyer

References:
- ipf.conf vs. ipf6.conf
  - From: Edgar Fuß

Prev by Date: Re: ipf group/head (and quick)
Next by Date: Re: ipf group/head (and quick)
Previous by Thread: ipf.conf vs. ipf6.conf
Next by Thread: Re: ipf.conf vs. ipf6.conf
Indexes:

Home | Main Index | Thread Index | Old Index