IPFilter 5 and IPv4-mapped IPv6 adresses

To: tech-net%netbsd.org@localhost
Subject: IPFilter 5 and IPv4-mapped IPv6 adresses
From: Edgar Fuß <ef%math.uni-bonn.de@localhost>
Date: Sun, 21 Jul 2019 18:34:48 +0200

I've learned the hard way that IPFilter 5 (as in NetBSD 8) seems to apply IPv6 
filter rules to IPv4 packets, most presumably in their RFC 3493 mapped form.

I got all of my incoming IPv4 traffic blocked after upgrading from NetBSD 6. 
ipmon displayed everything was blocked by group 0, rule 219, whilst there 
were only 218 rules in (IPv4) group 0.

However, the first rule in ipf6.conf was
	block return-rst in log family inet6 all
and after I changed that to
	block return-rst in log family inet6 from any to ! 0:0:0:0:ffff::/96
everything worked again.

Strangely, I do have anti-spoofing rules in ipf6.conf taht don't seem to 
trigger for IPv4 packets. It looks like a mapped address neither matches 
a rule with an IPv6 address nor a rule with a "! <IPv6 address>" clause.

Is this known/on purpose/documented?

Is someone able to craft a rule that, put before the IPv6 rules, will make 
IPFilter skip the rest of the rules for a packest matching 0:0:0:0:ffff::/96 
without putting all the IPV6 rules into a group?

Follow-Ups:
- Re: IPFilter 5 and IPv4-mapped IPv6 adresses
  - From: Greg Troxel

Prev by Date: Re: hangs with awge(4) on pine64 rock64 board
Next by Date: Re: IPFilter 5 and IPv4-mapped IPv6 adresses
Previous by Thread: hangs with awge(4) on pine64 rock64 board
Next by Thread: Re: IPFilter 5 and IPv4-mapped IPv6 adresses
Indexes:

Home | Main Index | Thread Index | Old Index