Re: IPFilter 5 and IPv4-mapped IPv6 adresses

[Greg Troxel <gdt%lexort.com@localhost>]

Edgar Fuß <ef%math.uni-bonn.de@localhost> writes:

> I've learned the hard way that IPFilter 5 (as in NetBSD 8) seems to apply IPv6 
> filter rules to IPv4 packets, most presumably in their RFC 3493 mapped form.
>
> I got all of my incoming IPv4 traffic blocked after upgrading from NetBSD 6. 
> ipmon displayed everything was blocked by group 0, rule 219, whilst there 
> were only 218 rules in (IPv4) group 0.
>
> However, the first rule in ipf6.conf was
> 	block return-rst in log family inet6 all
> and after I changed that to
> 	block return-rst in log family inet6 from any to ! 0:0:0:0:ffff::/96
> everything worked again.
>
> Strangely, I do have anti-spoofing rules in ipf6.conf taht don't seem to 
> trigger for IPv4 packets. It looks like a mapped address neither matches 
> a rule with an IPv6 address nor a rule with a "! <IPv6 address>" clause.
>
> Is this known/on purpose/documented?

It's news to me.

> Is someone able to craft a rule that, put before the IPv6 rules, will make 
> IPFilter skip the rest of the rules for a packest matching 0:0:0:0:ffff::/96 
> without putting all the IPV6 rules into a group?

pass in quick, should do it.

I heard that the v4/v6 rules were unified, but I still see a -6 flag to
ipfstat.

You need to figure out how to move to npf anyway.  9 is likely the last
with ipfilter.