Hi,
>>>>> On Wed, 23 Nov 2005 22:43:07 +0100 (CET)
>>>>> Gael Roualland <[EMAIL PROTECTED]> said:
gael> Hum, I didn't notice the "ipv6" string was handled a bit differently
gael> than the numeric proto number in ipfw.
gael> It does work, at least IPv6-over-IPv4 packets are not blocked, but ipfw
gael> list/show reports the rule as "allow ip from a.b.c.d to me" and it does
gael> filter it that way, opening a lot more than just protocol 41...
Umm, 41 is treated as ipv6, internally. With following patch,
allow ip from a.b.c.d to me proto 41
should work for workaround. However, it is still incomplete, and
`ipfw show' shows
allow ip from any to any proto ipv6
Apart from this limitation, it seems working to me here.
Index: sbin/ipfw/ipfw2.c
diff -u -p sbin/ipfw/ipfw2.c.orig sbin/ipfw/ipfw2.c
--- sbin/ipfw/ipfw2.c.orig Sat Aug 20 17:36:57 2005
+++ sbin/ipfw/ipfw2.c Sun Nov 27 04:18:43 2005
@@ -3611,7 +3611,8 @@ add_proto(ipfw_insn *cmd, char *av, u_ch
*proto = pe->p_proto;
else
return NULL;
- if (*proto != IPPROTO_IP && *proto != IPPROTO_IPV6)
+ if (strcmp(av, "ipv4") != 0 && strcmp(av, "ip4") != 0 &&
+ strcmp(av, "ipv6") != 0 && strcmp(av, "ip6") != 0)
fill_cmd(cmd, O_PROTO, 0, *proto);
return cmd;
Sincerely,
--
Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan
[EMAIL PROTECTED] [EMAIL PROTECTED],jp.}FreeBSD.org
http://www.imasy.org/~ume/
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
