'Re: Problem with ipfstat IPv6'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: Problem with ipfstat IPv6
From:       Darren Reed <darrenr () reed ! wattle ! id ! au>
Date:       2001-12-30 14:39:48
[Download RAW message or body]

In some email I received from Invernizzi Fabrizio, sie wrote:
[Charset iso-8859-1 unsupported, filtering to ASCII...]
> Hi all.
> 
> I am using ipfilter v3.4.21 on a FreeBSD  4.4-RELEASE host for IPv6
> firewalling, but I have some problems.
> 
> 
> If I use a rule with an IPv6 prefix, the rule does not match any packet.
> 
> 	EXAMPLE:
> 	pass in quick on xl0 proto tcp from any to 2001:6b8:10:1000::/64
> port = 22  flags S keep state keep frags
> 	
> 	An incoming packet on xl0 to 2001:6b8:10:1000:210:4bff:fe25:5a81
> does not match this rules.
> 
> 
> If I use the same rule but with the complete address instead of the
> prefix, it works
> 
> 	EXAMPLE:
> 	pass in quick on xl0 proto tcp from any to
> 2001:6b8:10:1000:210:4bff:fe25:5a81 port = 22  flags S keep state keep
> frags
> 
> Is this a bug or I have some error in my configuration?

I don't know.  eg.

# cat ip6.rule
pass in quick proto tcp from any to 2001:6b8:10:1000::/64 port = 22 flags S keep state keep frags
# cat ip6.test
6000 0000 0014 06 3f
2002 06b9 0011 1000 0210 4bff fe25 5a81
2001 06b8 0010 1000 0210 4bff fe25 5a81
4c7c 0016 aea6 fcb9 43e9 e78e 5002 2398
b6c7 0000
# SunOS5/sparc-5.8/ipftest -6dvxHr ip6.rule -i ip6.test
opening rule file "ip6.rule"
parse [pass in quick proto tcp from any to 2001:6b8:10:1000::/64 port = 22 flags S keep state keep frags]
iplioctl(ADAFR,4db98,1) = 0
input: 6000 0000 0014 06 3f
input: 2002 06b9 0011 1000 0210 4bff fe25 5a81
input: 2001 06b8 0010 1000 0210 4bff fe25 5a81
input: 4c7c 0016 aea6 fcb9 43e9 e78e 5002 2398
input: b6c7 0000

p:i0. 0x62003f06 & 0xf00000ff != 0x60000006
1a. 0x200206b9 & 00000000 != 00000000
1b. 0x111000 & 00000000 != 00000000
1c. 0x2104bff & 00000000 != 00000000
1d. 0xfe255a81 & 00000000 != 00000000
2a. 0x200106b8 & 0xffffffff != 0x200106b8
2b. 0x101000 & 0xffffffff != 0x101000
2c. 0x2104bff & 00000000 != 00000000
2d. 0xfe255a81 & 00000000 != 00000000
3. 00000000 & 00000000 != 00000000
4. 00000000 & 00000000 != 00000000
*pass 0x580a
pass
--------------



> I try to use ipfstat -6t to see the estabilished connections, the IPv6
> address are shown as IPv4 address. This is the output:
> 
> 
> 
>                                               - IP Filter: v3.4.21 -
> state top                                              09:51:14
> 
> Src = 0.0.0.0  Dest = 0.0.0.0  Proto = any  Sorted by = # bytes
> 
> Source IP             Destination IP         ST   PR   #pkts    #bytes
> ttl
> 32.1.6.184,4074       32.1.6.184,22         4/4  tcp     416     55529
> 119:59:29
> 
> 
> 
> The IPv4 address shown are the first HEX of 2001:6b8 converted in
> decimal :). 

I'll let the people who play with the "top" output deal with that :)

darren
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic