Re: ipf.conf vs. ipf6.conf

To: tech-net%netbsd.org@localhost
Subject: Re: ipf.conf vs. ipf6.conf
From: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
Date: Thu, 9 Jun 2016 23:19:08 +0200

On Thu, Jun 09, 2016 at 06:55:02PM +0200, Edgar Fuß wrote:
> I also managed to partly answer this one. But there seems to be a bug in how 
> ipfstat -6 -[io] displays the rules.
> 
> EF> Is my impression correct that rules in ipf.conf (i.e. loaded with ipf 
> EF> without -6) only apply to IPv4 while rules in ipf6.conf (i.e. loaded 
> EF> via ipf -6) apply only to IPv6. Right?
> This indeed seems to be true.
> 
> EF> Now, what if rules are added to a non-default group? Are these groups also 
> EF> IP version specific or will a packet having matched a "head 100" rule in 
> EF> ipf.conf be matched against a "group 100" rule in ipf6.conf?
> All rules seem to ve specific to the IP version they were loaded for.
> However, ipfstat -6 -[io] seems to erroneously display non-group-zero rules 
> from the v4 ruleset. If we did our testing correctly, these rules are only 
> displayed, not actually applied to IPv6 traffic.
> Note that ipftstat -6 -[io| does NOT display group-zero v4 rules.

On what version did you test ?
on -7 and newer, a rule without address family will match both inet4 and
inet6, and you can put all rules in ipf.conf

-- 
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
     NetBSD: 26 ans d'experience feront toujours la difference
--

Follow-Ups:
- Re: ipf.conf vs. ipf6.conf
  - From: Edgar Fuß

References:
- ipf.conf vs. ipf6.conf
  - From: Edgar Fuß
- Re: ipf.conf vs. ipf6.conf
  - From: Edgar Fuß

Prev by Date: Re: ipf group/head (and quick)
Next by Date: Re: ipf.conf vs. ipf6.conf
Previous by Thread: Re: ipf.conf vs. ipf6.conf
Next by Thread: Re: ipf.conf vs. ipf6.conf
Indexes:

Home | Main Index | Thread Index | Old Index