Subject: Re: ipf and ipv6 with netbsd 1.5.3_ALPHA
To: Martti Kuparinen <martti.kuparinen@iki.fi>
From: None <xs@nitric.net>
List: tech-net
Date: 02/17/2002 19:46:44
on Sun, Feb 17, 2002 at 03:00:16PM +0200, Martti Kuparinen wrote:
> I found the problem, please apply the following patch:
Thank you!
This appears to only fix it for input traffic though, it doesn't appear
to filter output traffic. I haven't yet been able to test forwarded traffic.
eg:
# ipfstat -io6
block out from any to any
block in from any to any
# ping6 -I gif0 www.netbsd.org
^C
--- www.netbsd.org ping6 statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
But from tcpdump (wrapped):
xx.yy.xx.yy > 206.123.31.114: 3ffe:b80::xxyy:xxyy >
3ffe:8050:201:1860:290:27ff:feab:19a7: icmp6: echo request (encap)
206.123.31.114 > 217.37.xx.yy: 3ffe:8050:201:1860:290:27ff:feab:19a7 >
3ffe:b80::xxyy:xxyy: icmp6: echo reply (encap)
and from ipmon (wrapped):
3x gif0 @0:1 b 3ffe:8050:201:1860:290:27ff:feab:19a7 -> 3ffe:b80::xxyy:xxyy PR
icmpv6 len 40 16 icmpv6 icmpv6type(162)/1 IN
> --- ip6_input.c.orig Sun Feb 17 11:17:51 2002
> +++ ip6_input.c Sun Feb 17 13:48:34 2002
> @@ -313,7 +313,7 @@
> pfh = NULL;
> else
> pfh = pfil_hook_get(PFIL_IN,
> - &inetsw[ip_protox[IPPROTO_IPV6]].pr_pfh);
> + &inet6sw[ip6_protox[IPPROTO_IPV6]].pr_pfh);
> #else
> pfh = pfil_hook_get(PFIL_IN, &inetsw[ip_protox[IPPROTO_IPV6]].pr_pfh);
> #endif
Should the non-IPsec case be changed to inet6sw too?
(I have options IPSEC.)