Re: IPFilter 5 and IPv4-mapped IPv6 adresses

[Edgar Fuß <ef%math.uni-bonn.de@localhost>]

> It's news to me.
OK. Anybody but me using IPFilter on a dual stack installation?
Does the NetBSD networking stack do something close to converting IPv4 to 
mapped adresses and then unifiying v4/v6 code paths?

EF> Is someone able to craft a rule that, put before the IPv6 rules, will 
EF> make IPFilter skip the rest of the rules for a packest matching 
EF> 0:0:0:0:ffff::/96  without putting all the IPV6 rules into a group?
DH> pass in quick, should do it.
That will overwrite any previous non-quick block rule, no?

> I heard that the v4/v6 rules were unified, but I still see a -6 flag to
> ipfstat.
And a underdocumented -6 flag to ipf.
Wilst in general, the new IPFilter documentation is a huge, huge improvement 
to previous version (thaks to whoever re-wrote that!), that point is not clear 
(to me).
What my current impression of IPFilter's behaviour is:
-- there are seperate rule sets for v4/v6 (or maybe one with the first N 
   being v4 rules and the rest v6 rules)
-- if a rule looks like v4 (v4 address in it, "icmp" in it etc.) or is 
   flagged as "family inet4", it goes to the v4 list. If it looks like v6 
   (v6 address, ipv6-icmp etc.)  or is flagged "family inet6", it goes to 
   the v6 list. Otherwise, it goes to /both lists/.
-- if a file is loaded with ipf -6, all rules are implicitly flagged "family 
   inet6".
-- ipfstat shows the v4 list, ipfstat -6 shows the -6 list.

> You need to figure out how to move to npf anyway.  9 is likely the last
> with ipfilter.
As I'm currently preparing migration from 6 to 8, that doesn't sound too urgent.