Hello freebsd-ipfw@, I just tripped over what seems to be a syntax bug and need some help understanding it well enough to submit a PR (or to be dissuaded from doing so). A quick look through all PRs matching 'ipfw', open and closed, does not reveal a clear duplicate.
Let's say my machine has a physical interface, em0, with IPv4 address 192.0.2.1, and a tunneling peer with IPv4 address 198.51.100.2. I also have gif0 configured with these tunnel end points and an inner IPv6 address (which I do not believe is relevant). I have the following interaction with the machine. % ipfw add 1000 allow ip4 from 198.51.100.2 to 192.0.2.1 ipv6 1000 allow ip4 from 198.51.100.2 to 192.0.2.1 ip6 % ipfw add 2000 allow ip4 from 198.51.100.2 to 192.0.2.1 proto ipv6 2000 allow ip4 from 198.51.100.2 to 192.0.2.1 ipv6 Notice that when I say "ipv6", ipfw responds "ip6", but when I say "proto ipv6", ipfw responds "ipv6". Is this an unintended exception, or the unintended consequence of grammar implications I just don't fully understand? Next my peer sends me some tunneled traffic---each packet incident upon em0 starts with an IPv4 header with the proto field equal to 41, followed by an IPv6 header---and I check the rule counters. Rule 1000 has zero hits, but rule 2000 has all the hits. What would rule 1000 match? This is on 9.2-STABLE r260112. Regards, John
signature.asc
Description: OpenPGP digital signature