[ipfw patch - add ipv6 support for table mechanism] request for testing/commit

Raffaele De Lorenzo raffaele.delorenzo at libero.it
Thu May 7 20:23:01 UTC 2009 

Hi all,
I extended the ipfw table mechanism to IPv6 protocol and  now i need  
some people for testing and next commit it.
The code is stable but you must be careful about possible ambiguous  
parser semantics.
Now you must insert IPv6 addresses inside a table:

ipfw table 1 add fe80::1

And you can create IPv6 rules about this table:

ipfw add deny tcp from table6(1) to any dst-port 22
ipfw add deny icmp6 from any to table6(1)

The "table6" semantic tell the difference betwen the IPv4 semantic  
("table").

The following changes are made on the ipfw2 sources:

KERNEL SPACE:

ip_fw.h

1) Added 2 new OPCODES: O_IP6_SRC_LOOKUP, O_IP6_DST_LOOKUP
2) Added the follow fields in "ipfw_table_entry" structure:
	
	struct in6_addr addr6, mask6;
	uint8_t proto;

ip_fw2.c
-------------- next part --------------


1) Added the follow fields in "struct table_entry" structure:

	struct sockaddr_in6 addr6, mask6;
	uint8_t proto;

2) Some changes inside the "add_table_entry" function.
3) Some changes inside the "del_table_entry" function.
4) Some changes inside the "flush_table_entry" function.
5) Some changes inside the "lookup_table" function.
6) Some changes inside the "dump_table_entry" function.
7) Added a new function named "set_proto_table".
8) Added the two new OPCODES inside the "ipfw_check()" function.
9) Added the two new OPCODES inside the "check_ipfw_struct" function.


USER SPACE:

ipfw2.c

1) Added some changes on "table_handler" function
2) Added some changes on "show_ipfw" function
3) Added some changes on "print_ip6" function
4) Added some changes on "fill_ip6" function
5) Added some changes on "add_dstip6" function
6) Added some changes on "add_srcip6" function
7) Added some changes on "add_src" function
8) Added some changes on "add_dst" function

I updated the man pages.


INSTALLATION INSTRUCTIONS:

Put  the "ip_fw2.c" and "ip_fw.h" files inside the "/sys/netinet/  
directory"
Put the "ipfw2.c" file inside the /src/sbin/ipfw/ directory

Rebuild the ipfw kernel module or rebuild you kernel
Rebuild the ipfw bin or the entire  SBIN.

The Sources was tested on FreeBSD 7.2 Release.

Let me know any troubles

Ciao

Raffaele

More information about the freebsd-ipfw mailing list