Re: IPF filtering of encapsulated IPv6 packets?

[carl@bl.echidna.id.au]

> From: Darren Reed <avalon@cairo.anu.edu.au>
> 
> In some mail from Pete Toscano, sie said:
> > 
> > Hello,
> > 
> > I sent this to the ipv6@openbsd list yesterday, but seeing how low the
> > traffic is, I'm guessing that it's nearly dead.  I hope it's not too
> > inappropriate for me to report on this list.
> > 
> > I have a IPv6-in-IPv4 tunnel to the 6Bone.  My side of the tunnel is an
> > OpenBSD (2.9-stable) box.  This tunnel is gif0.  I have another tunnel
> > for internal network use (gif1) and a directly attached IPv6 network
> > (off xl0, the tunnels are off dc0).
> > 
> > My problem is exactly the same as Rob Mooney's from 2001.03.09
> > (http://www.sigmasoft.com/~openbsd/archive/openbsd-ipv6/200103/msg00000.html)
> > -- I can filter IPv4 just fine, but I cannot filter on IPv6 content.  If
> > I put IPv6 filters (ipf -6) on dc0, then they just get ignored.
> > Tcpdump-ing on the gif interfaces just shows outgoing traffic.  Heck,
> > even blocking all IPv6 traffic out of xl0 gets ignored:
> > 
> > [root@foo6 12:09:25 /root]# ipfstat -6ho
> > 0 block out log from any to any
> > 0 block out on xl0 from any to any
> > 
> > My IPv4 filters allow ICMP protocol 0x29 (41) in, but I cannot figure
> > out how to filter any IPv6.
> > 
> > Would someone please help me?  Getting filtering up is necessary for
> > this project and I _really_ want to keep using OpenBSD.
> 
> It would appear that OpenBSD (2.9) has never had and still does not have
> the ability to filter IPv6 packets, despite IPFilter being capable.

Incorrect, athough it seems to require a recompile.

http://oversteer.bl.echidna.id.au/IPv6/openbsd-firewall.html

Carl