[CFT] new tables for ipfw

Willem Jan Withagen wjw at digiware.nl
Thu Aug 14 15:58:58 UTC 2014 

On 14-8-2014 17:53, Lee Dilkie wrote:
> 
> On 8/14/2014 11:27 AM, Willem Jan Withagen wrote:
>> On 14-8-2014 14:46, Lee Dilkie wrote:
>>> On 8/14/2014 08:08, Willem Jan Withagen wrote:
>>>> I've found the notation ipnr:something rather frustrating when using
>>>> ipv6 addresses. Sort of like typing a ipv6 address in a browser, the
>>>> last :xx is always interpreted as portnumber, UNLESS you wrap it in []'s.
>>>> compare
>>>>     2001:4cb8:3:1::1
>>>>     2001:4cb8:3:1::1:80
>>>>     [2001:4cb8:3:1::1]:80
>>>> The first and the last are the same host but a different port, the
>>>> middle one is just a different host.
>>>>
>>>> Could/should we do the same in ipfw?
>>> the first and second forms are valid, but as ipv6 addresses *with no port*,
>>>
>>> The third is an ipv6 address with a port.
>>>
>>> If the intent of the second form is an address and port, it will not be
>>> parsed that way by standard parsers and violates the ivp6 addressing rfc's.
>> I agree, but ipfw does not understand [2001:4cb8:3:1::1] last time I tried.
>> So I think you rephrased what I meant to say.
>>
>> Thanx,
>> --WjW
>>
> 
> and re-reading your original post, yes you did state it correctly.
> 
> ipfw needs to be fixed to understand the correct format of ipv6 addresses.
> 
> however, this isn't the only offender. netstat's output is also
> incorrect (linux example)
> 
> 
> tcp        0      0 :::22                      
> :::*                        LISTEN
> 
> should be
> 
> tcp        0      0 [::]:22                      
> [::]:*                        LISTEN
> 
> I don't understand why folks dream up incompatible, and unparsable, ipv6
> address formats. Why bother with rfc's if no-one writes to them.
> 
> (see rfc5952)

It think that that was the RFC I found when looking into getting the
browser to do the right thing when I want it to go to:
	[2001:4cb8:3:1::1]:8080
	
Well the RFC would be an argument to at least spec an IPv6 address in a
ipfw rule to be allowed either with or without []'s. And if you run into
trouble by not using the []'s, they are "easily" added.

--WjW

More information about the freebsd-net mailing list