Re: netbsd-7 ipfilter failure?

[6bone%6bone.informatik.uni-leipzig.de@localhost]

I have already tested a configuration that only uses /etc/ipf.conf.

   block in on ixg0 family inet
   pass in on ixg0 family inet6

The first line blocks all ipv4 traffic. It works.
The second line should allow only ipv6 traffic. But the second line also 
re-allows ipv4 traffic. So I assume that the address family is not 
evaluated correctly.


Regards
Uwe

On Wed, 12 Nov 2014, Greg Troxel wrote:

> Date: Wed, 12 Nov 2014 07:18:40 -0500
> From: Greg Troxel <gdt%ir.bbn.com@localhost>
> To: 6bone%6bone.informatik.uni-leipzig.de@localhost
> Cc: Robert Swindells <rjs%fdy2.co.uk@localhost>, apb%cequrux.com@localhost,
>     current-users%netbsd.org@localhost
> Subject: Re: netbsd-7 ipfilter failure?
>
>
> 6bone%6bone.informatik.uni-leipzig.de@localhost writes:
>
> > I would like to once again ask for the ip filter problem. Is this a
> > bug or an incorrect operation of me? Does it make sense to report it
> > as a bug?
>
> I think we more or less concluded that:
>
>  in netbsd-7, ipfilter has one ruleset /etc/ipf.conf
>
>  this one ruleset has rules for both 4 and 6
>
>  docs that talk about -6 and ipf6.conf are perhaps buggy and at best
>  for compatibility
>
> I would suggest reading the message from Darren and putting all rules in
> ipf.conf (with AF qualifiers) and not having ipf6.conf.  If that doesn't
> work, I would suggest posting a specific problem.