ipfilter ipf command was changed a long time ago to no longer require 1 rules file for ipv4 and another rules file for ipv6. Both were combined into single rules file. Seems this change was not also done to the ipfstat command. Running 12.1 RELEASE on real hardware. >cat /etc/ipf.rules pass out quick on em0 all pass in quick on em0 all pass out quick on bridge0 all pass in quick on bridge0 all pass in quick on lo0 all pass out quick on lo0 all pass out quick on re0 proto tcp/udp from any to any port = 53 keep state pass out quick on re0 proto udp from any to any port = 67 keep state pass out log quick on re0 proto icmp from any to any keep state pass out log quick on re0 proto ipv6-icmp from any to any pass out quick on re0 proto tcp from any to any port = 43 flags S keep state block out quick on re0 all block in quick on re0 proto icmp all pass in log quick family inet6 proto ipv6-icmp all block in quick on re0 all >ipfstat -nhoi 0 @1 pass out quick on em0 all 232 @2 pass out quick on bridge0 all 0 @3 pass out quick on lo0 all 7 @4 pass out quick on re0 proto tcp/udp from any to any port = domain keep state 0 @5 pass out quick on re0 proto udp from any to any port = bootps keep state 0 @6 pass out log quick on re0 proto icmp from any to any keep state 1 @7 pass out log quick on re0 proto ipv6-icmp from any to any 0 @8 pass out quick on re0 proto tcp from any to any port = nicname flags S/FSRPAU keep state 45 @9 block out quick on re0 all 25 @1 pass in quick on em0 all 234 @2 pass in quick on bridge0 all 0 @3 pass in quick on lo0 all 0 @4 block in quick on re0 proto icmp from any to any 48 @5 block in quick on re0 all >ipfstat -nhoi6 0 @1 pass out quick on em0 all 234 @2 pass out quick on bridge0 all 0 @3 pass out quick on lo0 all 7 @4 pass out quick on re0 proto tcp/udp from any to any port = domain keep state 0 @5 pass out quick on re0 proto udp from any to any port = bootps keep state 0 @6 pass out log quick on re0 proto icmp from any to any keep state 1 @7 pass out log quick on re0 proto ipv6-icmp from any to any 0 @8 pass out quick on re0 proto tcp from any to any port = nicname flags S/FSRPAU keep state 45 @9 block out quick on re0 all 25 @1 pass in quick on em0 all 236 @2 pass in quick on bridge0 all 0 @3 pass in quick on lo0 all 0 @4 block in quick on re0 proto icmp from any to any 469 @5 pass in log quick inet6 proto ipv6-icmp from any to any 49 @6 block in quick on re0 all >cat /var/log/security @0:5 p fe80::201:5cff:fe9d:1846 -> ff02::1 PR icmpv6 len 40 56 icmpv6 routeradvert/0 IN multicast @0:5 p fe80::201:5cff:fe9d:1846 -> ff02::1 PR icmpv6 len 40 72 icmpv6 neighborsolicit/0 IN multicast @0:5 p fe80::201:5cff:fe9d:1846 -> ff02::1 PR icmpv6 len 40 56 icmpv6 routeradvert/0 IN multicast @0:5 p fe80::201:5cff:fe9d:1846 -> ff02::1 PR icmpv6 len 40 72 icmpv6 neighborsolicit/0 IN multicast @0:5 p fe80::201:5cff:fe9d:1846 -> ff02::1 PR icmpv6 len 40 56 icmpv6 routeradvert/0 IN multicast @0:5 p fe80::201:5cff:fe9d:1846 -> ff02::1 PR icmpv6 len 40 56 icmpv6 routeradvert/0 IN multicast snip Rule #5 is missing from the -nhoi listing but is present in the -nhoi6 list. This is a error. The -6 flag should be removed as obsolete and the listing show all the ipv4 & ipv6 rules in single list.
Instead of -nhio and -nhio6, please provide the output of ipfstat -io > 4 ipfstat -io6 > 6 diff -u 4 6 This removes the rule numbers and the rule hit counts and allows diff to see the actual differences.
Looking at my firewall's output (I didn't look closely) but what I see is with -6 it correctly removed IPv4. It did list all rules that didn't specify family inet or were inet6. Based on my cursory look I see it's working properly. Looking at your output, with rule numbers and hit counts removed as they have obviously confused our view): slippy$ diff -u 4 6 --- 4 2020-07-13 09:52:58.296696000 -0700 +++ 6 2020-07-13 09:53:19.872361000 -0700 @@ -11,4 +11,5 @@ pass in quick on bridge0 all pass in quick on lo0 all block in quick on re0 proto icmp from any to any +pass in log quick inet6 proto ipv6-icmp from any to any block in quick on re0 all slippy$
Your missing the point. -6 flag is obsolete. Should not be any difference. The man page even says that. -6 or -4 should show the same list. both flags should be removed from command logic so only 1 version of results are shown.
Why would you say it's obsolete in ipfstat?
Thank you for asking for my opinion. In /etc/defaults/rc.conf I see this ipv6_ipfilter_rules="/etc/ipf6.rules" # rules definition file for ipfilter, # see /usr/src/contrib/ipfilter/rules for examples man 8 ipf says ipf -6 ipv4 and ipv6 rules are stored in a single table and can be read from a single file. This option is no longer required to load ipv6 rules. I interrupt this to mean that the ipv6_ipfilter_rules="/etc/ipf6.rules" line in /etc/defaults/rc.conf is obsolete and should be removed before RELEASE 13.0 is published for users to use. And this filters down to the ipfstat command meaning the internal logic has to be changed removing the -6 logic and using only a single rules file with interspersed ipv4 & ipv6 rules together. The -6 flag only services to cause user confusion. And to do a complete job any ipv6 examples in /usr/src/contrib/ipfilter/rules should be moved to /usr/share/examples/ipfilter. And if there are none then some ipv6 examples should be created. Also the statement about -6 in man 8 ipf should be corrected. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=247568 Addresses this problem.
Correct but we are talking about ipfstat, not ipf(8). ipf(8) in ipfilter 4 loaded rules into two separate lists. Therefore -6 and -4 are obsolete in ipf(8). ipfstat(8) lists the contents of that list. -6 filters out IPv4, see the ipfstat(8) man page. man 8 ipfstat says: -6 Display filter lists and states for IPv6, if available. Conflating ipf(4) with ipfstat(8) is illogical. Suggesting the removal of -6 from ipfstat(8) is just as illogical. The internal logic of ipf(4) changed to maintain only one list therefore ipf(8) no longer needed -4 and -6. However listing of rules by ipfstat by -6 is still useful. I do not see why removing the filter is useful. Adding a -4 filter would allow the listing of only IPv4 related rules, and it would be useful. BTW, extending -P for use with -i and -o instead of just -t would be useful as well and should be simple to do.
The implementation of -6 is inconsistent when using -i and/or -o from -t. With -t, -6 is IPv6 only whereas without it ipfstat lists IPv4 only. The width of the address field shouldn't be an issue. There is an ncurses issue when the terminal isn't wide enough. I'll put these on my list of things to fix.
Let's reopen this and use this PR to track cleaning up argument processing in ipfstat. It's consistently inconsistent like ippool was.
I'll post a patch once the #ifdef cleanup passes tinderbox. Should be about a day or two.
Created attachment 216455 [details] Separate IPv4 output and default to combined + some cleanups. This patch adds a -4 option to list only IPv4 rules while -6 lists only IPv6 rules. The default is both when listing. When displaying stats the default will remain -4 until I find the time to address the ncurses issues with -t. It's a start of cleaning up ipfstat just as ippool has been cleaned up (except for IPv6).
Committed to my git repo and will push sometime this week.
Created attachment 216474 [details] Separate IPv4 output and default to combined + some cleanups. The previous patch broke ipfstat -t, which will become a separate commit.
Created attachment 216475 [details] This addresses -i and -o but not -t. Let's try this again. This addresses -i and -o, not -t and doesn't flag -4 or -6 as errors under other circumstances. This should address the immediate issue.
A commit references this bug: Author: cy Date: Fri Jul 17 19:07:35 UTC 2020 New revision: 363277 URL: https://svnweb.freebsd.org/changeset/base/363277 Log: Only use the use_inet6 variable when INET6 is a build option. This is a prerequisite to upcoming argument processing cleanups which will resolve consistency as was done with ippool previously. PR: 247952 MFC after: 1 week Changes: head/contrib/ipfilter/tools/ipfstat.c
A commit references this bug: Author: cy Date: Fri Jul 17 19:07:38 UTC 2020 New revision: 363278 URL: https://svnweb.freebsd.org/changeset/base/363278 Log: fr_family (the protocol family) must be AF_INET or AF_INET6, as in the kernel, not an arbitrary 4 or 6. This only affected printing ipfilter stats and rules from a kernel dump. (This is currently undocumented.) PR: 247952 MFC after: 1 week Changes: head/contrib/ipfilter/tools/ipfstat.c
A commit references this bug: Author: cy Date: Fri Jul 17 19:07:41 UTC 2020 New revision: 363279 URL: https://svnweb.freebsd.org/changeset/base/363279 Log: Historically ipfstat listings and stats only listed IPv4 or IPv6 output. ipfstat would list IPv4 outputs by default while -6 would produce IPv6 outputs. This commit combines the ipfstat -i and -o outputs into one listing of IPv4 and IPv6 rules. The -4 option lists only IPv4 rules (as the default before) while -6 continues to list only rules that affect IPv6. PR: 247952 Reported by: joeb1@a1poweruser.com MFC after: 1 week Changes: head/contrib/ipfilter/man/ipfstat.8 head/contrib/ipfilter/tools/ipfstat.c
A commit references this bug: Author: cy Date: Fri Jul 17 19:07:44 UTC 2020 New revision: 363280 URL: https://svnweb.freebsd.org/changeset/base/363280 Log: ipfstat -t defaults to IPv4 output. Make consistent with ipfstat -i and ipfstat -o where without an argument IPv4 and IPv6 states are shown. Use -4 and -6 to limit the display to IPv4 or IPv6 respectively. PR: 247952 MFC after: 1 week Changes: head/contrib/ipfilter/man/ipfstat.8 head/contrib/ipfilter/tools/ipfstat.c
A commit references this bug: Author: cy Date: Fri Jul 17 19:07:50 UTC 2020 New revision: 363282 URL: https://svnweb.freebsd.org/changeset/base/363282 Log: The output from usage() need not contain usage for -t when STATETOP is not compiled in. PR: 247952 MFC after: 1 week Changes: head/contrib/ipfilter/tools/ipfstat.c
A commit references this bug: Author: cy Date: Fri Jul 17 19:07:47 UTC 2020 New revision: 363281 URL: https://svnweb.freebsd.org/changeset/base/363281 Log: Make ipfstat -t header generic when IPv4 and IPv6 output are displayed in the same display. PR: 247952 MFC after: 1 week Changes: head/contrib/ipfilter/tools/ipfstat.c
A commit references this bug: Author: cy Date: Fri Jul 17 19:07:53 UTC 2020 New revision: 363283 URL: https://svnweb.freebsd.org/changeset/base/363283 Log: -4 and -6 only make sense with -i, -o, and -t. PR: 247952 MFC after: 1 week Changes: head/contrib/ipfilter/tools/ipfstat.c
A commit references this bug: Author: cy Date: Sat Jul 25 14:27:13 UTC 2020 New revision: 363526 URL: https://svnweb.freebsd.org/changeset/base/363526 Log: MFC r363277-r363283 r363277: Only use the use_inet6 variable when INET6 is a build option. This is a prerequisite to upcoming argument processing cleanups which will resolve consistency as was done with ippool previously. PR: 247952 r363278: fr_family (the protocol family) must be AF_INET or AF_INET6, as in the kernel, not an arbitrary 4 or 6. This only affected printing ipfilter stats and rules from a kernel dump. (This is currently undocumented.) PR: 247952 r363279: Historically ipfstat listings and stats only listed IPv4 or IPv6 output. ipfstat would list IPv4 outputs by default while -6 would produce IPv6 outputs. This commit combines the ipfstat -i and -o outputs into one listing of IPv4 and IPv6 rules. The -4 option lists only IPv4 rules (as the default before) while -6 continues to list only rules that affect IPv6. PR: 247952 Reported by: joeb1@a1poweruser.com r363280: ipfstat -t defaults to IPv4 output. Make consistent with ipfstat -i and ipfstat -o where without an argument IPv4 and IPv6 states are shown. Use -4 and -6 to limit the display to IPv4 or IPv6 respectively. PR: 247952 r363281: Make ipfstat -t header generic when IPv4 and IPv6 output are displayed in the same display. PR: 247952 r363282: The output from usage() need not contain usage for -t when STATETOP is not compiled in. PR: 247952 Changes: _U stable/11/ stable/11/contrib/ipfilter/man/ipfstat.8 stable/11/contrib/ipfilter/tools/ipfstat.c _U stable/12/ stable/12/contrib/ipfilter/man/ipfstat.8 stable/12/contrib/ipfilter/tools/ipfstat.c
MFCed.