Ipv6 Filtering strange problem

Fri, 10 Feb 2006 09:33:36 -0800

Title: Ipv6 Filtering strange problem

Hello

             I would like to thank Mr  Laxman Amruth for help and  analysing IPv6 filtering along with me.

Little bit progress in configuring IPFilter for IPv6 Filtering.  I was able to view IPv6 stats in "ipfstat" ouput .

We have to insert "pfil" module on Network Interface with "inet6" option also.

Something like      #ifconfig ce3 inet6 modinsert [EMAIL PROTECTED] immedietly after "ip" stream]

As soon as pfil module inserted the complete packtes passing through that Network Interface getting blocked.

We suspect problem with IPv6 packet matching ..

"ipfstat" output showing like below ..

[EMAIL PROTECTED]> ipfstat
bad packets:            in 0    out 0
 IPv6 packets:          in 13829 out 6769
 input packets:         blocked 0 passed 13829 nomatch 1 counted 0 short 0
output packets:         blocked 0 passed 6769 nomatch 0 counted 0 short 0
 input packets logged:  blocked 0 passed 0
output packets logged:  blocked 0 passed 0
 packets logged:        input 0 output 0
 log failures:          input 0 output 0
fragment state(in):     kept 0  lost 0  not fragmented 0
fragment state(out):    kept 0  lost 0  not fragmented 0
packet state(in):       kept 0  lost 0
packet state(out):      kept 0  lost 0
ICMP replies:   0       TCP RSTs sent:  0
Invalid source(in):     0
Result cache hits(in):  5       (out):  0
IN Pullups succeeded:   0       failed: 13823
OUT Pullups succeeded:  0       failed: 6769
Fastroute successes:    0       failures:       0
TCP cksum fails(in):    0       (out):  0
IPF Ticks:      7377
Packet log flags set: (0)
        none
----------------------------------------------------------------------------------------------------------------
[EMAIL PROTECTED]> ipfstat -6hio
empty list for ipfilter(out)
0 block in log on ce3 proto tcp from any to 2106:22:188:252:0:66:1:4/64 port = ssh
-------------------------------------------------------------------------------------------------------------------

[EMAIL PROTECTED]>  ndd /dev/pfil pfil_inet6
in
function        flags
7847a0e8        3
out
function        flags
7847a0e8        3

[EMAIL PROTECTED]>  ndd /dev/pfil qif_status
ifname ill q OTHERQ ipmp num sap hl nr nw bad copy copyfail drop notip nodata notdata
ce3 0x3000393f940 0x300296aa298 0x300296aa388 0x0 14 86dd 14 14865 7328 0 0 0 0 0 0 0
QIF2 0x0 0x3002965eb48 0x3002965ec38 0x0 2 8035 0 0 0 0 0 0 0 0 0 0
QIF1 0x0 0x30008cea820 0x30008cea910 0x0 1 806 0 2 13 0 0 0 0 0 0 0
[EMAIL PROTECTED]>

Best Regards
Pradeep Reddy

Reply via email to