IP Filter 3.4alpha3 - IPv6 update (fwd)

[Darren Reed <avalon () coombs anu edu au>]

FYI:
> Greetings,
>           IP Filter now supports, almost comlpetely, IPv6.  The only
> parts which aren't covered are:
> * NAT and that's not something I actually intend on paying any attention
>   to (yet - get another ISP if they only give you one IPv6 address via
>   DHCP/dialup and then send them hatemail for being idiots);
> * IPv6 ICMP or ICMP6 (all the types and codes have changed, although the
>   header is vaguely the same).
>
> So this means that IP Filter can now do stateful filtering of IPv6 packets
> (excluding matching ICMP6 packets) and IPv6 packets can get logged.  There
> are some limitations: all rules must currently use the numeric form of
> representation for IPv6 addresses and if you try and use `fancy' IPv6
> headers, packets will fail to match rules which specify normal protocols
> such as TCP, UDP, etc.  I've been testing this on interfaces with native
> IPv6 addresses - not tunnels.
>
> Sample output from ipmon:
>
> 18/12/1999 13:51:10.954701 STATE:NEW 2002:c0a8:100:1::2,49153 -> 2002:c0a8:100:1::1,23 PR tcp
> 18/12/1999 13:55:24.030256 STATE:CLOSE 2002:c0a8:100:1::2,49153 -> 2002:c0a8:100:1::1,23 PR tcp Pkts 51 Bytes 3000
>
> and the matching entry from the state table:
>
> 2002:c0a8:100:1::2 -> 2002:c0a8:100:1::1 ttl 472 pass 0x100a pr 6 state 5/5
>         pkts 51 bytes 3000      49153 -> 23 67c7cd03:8f52ac6c 17520:25704
>         pass in keep state      IPv6
>         pkt_flags & 2(b2) = b,          pkt_options & ffffffff = 0
>         pkt_security & ffff = 0, pkt_auth & ffff = 0
> interfaces: in le0[f5a0c518] out le0[f5a0c518]
>
> the rule:
> # ipfstat -6i
> 1 pass in on le0 proto tcp from any to any flags S/FSRPAU keep state
>
> If you're using NetBSD-current or OpenBSD-current (with the latest KAME
> IPv6 import), the patches below should help you on your way.  I've not
> tested this with FreeBSD - FreeBSD doesn't seem to have any generic
> mechanism like PFIL_HOOKS.
>
> Last Minute:
> ------------
> One thing, before I forget!  When compiling IP Filter, you *will* need to
> add -DUSE_INET6 to CFLAGS= where it is defined as a part of MFLAGS1 in the
> top Makefile.  Tools compiled _without_ -DUSE_INET6 *will not work* with
> a kernel using these patches, ipf3.4alpha* if you have "options INET6"
> present in your config file!  I will be attending to this to make it both
> easier to turn on and detect when trouble a kernel/userland are compiled
> differently.  Solaris8 people, don't worry, it builds for IPv6 regardless.
>
> Anyway, that's all for now.
> Darren
> http://coombs.anu.edu.au/~avalon/ipf3.4alpha3.tar.gz
>
> [patches for NetBSD/OpenBSD deleted - you should really be on the ipfilter]
> [list if you're going to use them]