Re: IPv6 addresses in tables not always working

Tue, 25 Dec 2012 08:36:32 -0800 

On 25.12.2012 18:58, Fabian Wenk wrote:

Hello

To test tables with IPv6 for use with fail2ban (see thread "IPv6
Support" [1]), I tried it out on a FreeBSD 9.1-RELEASE (r244668) system.
Not all possible rules with tables which include IPv6 addresses seem to
work.

   [1] http://sourceforge.net/mailarchive/message.php?msg_id=29387087

For fail2ban it will both be possible, using mixed tables with IPv4 and
IPv6 addresses and separate tables with only IPv4 or IPv6 addresses. So
I tried a few variants.

First I created 3 different tables (IPv4 only, IPv6 only, IPv4 and IPv6
mixed), this worked so far:

...


Then I deleted the IPv4 and IPv6 only rules to only test with the mixed
IPv4 and IPv6 table(46):

root@freebsd9:~ # ipfw delete 1 2
root@freebsd9:~ # ipfw show | head -1
00003  0   0 unreach port tcp from table(46) to me dst-port 22 in
root@freebsd9:~ #

And again testing from the remote system, the timeouts are still with
the same difference for IPv4 and IPv6, but the message for IPv6 is now
different:


unreach && unreach6 does different things:
Former implies O_REJECT token (which is ipv4 only) while the latter calls O_UNREACH6 (which is ipv6 only). 

I'm not sure why we're utilizing O_UNREACH6 instead of re-using O_REJECT..


root@freebsd9:~ # ipfw show | head -1
00003 12 872 unreach port tcp from table(46) to me dst-port 22 in
root@freebsd9:~ #


I also tried some other rules, which would be use cases for my setup
with fail2ban, but not all of them work:

freebsd9:~ # ipfw add 4 deny ip6 from table\(6\) to me6 22 in
ipfw: bad address "table(6)"
root@freebsd9:~ #
Yep, this is a known problem (and some similar still remains). Fixed in r240892 (r241883 for stable/9). 

...


To help collect the information regarding IPv6 support in ipfw tables,
what other rules should I test? Or is this already enough information
for any FreeBSD IPFW developer to be able to locate and probably fix
this issues?

I guess it is probably better to first collect some more information
regarding IPv6 and tables here on the list and then create a
corresponding PR later on for it.


bye
Fabian
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[email protected]"





--
WBR, Alexander

_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[email protected]"

Reply via email to