From owner-freebsd-net@FreeBSD.ORG Sun Jan 10 18:44:28 2010 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E31AB106566B; Sun, 10 Jan 2010 18:44:28 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.59.238]) by mx1.freebsd.org (Postfix) with ESMTP id A1A518FC0C; Sun, 10 Jan 2010 18:44:28 +0000 (UTC) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id 42D9B73106; Sun, 10 Jan 2010 19:52:32 +0100 (CET) Date: Sun, 10 Jan 2010 19:52:32 +0100 From: Luigi Rizzo To: Hajimu UMEMOTO Message-ID: <20100110185232.GA27907@onelab2.iet.unipi.it> References: <25ff90d60912162320y286e37a0ufeb64397716d8c18@mail.gmail.com> <25ff90d60912180612y2b1f64fbw34b4d7f648762087@mail.gmail.com> <25ff90d61001021736p7b695197q104f4a7769b51b71@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org, David Horn , freebsd-ipfw@freebsd.org Subject: Re: Unified rc.firewall ipfw me/me6 issue X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jan 2010 18:44:29 -0000 On Mon, Jan 11, 2010 at 03:27:13AM +0900, Hajimu UMEMOTO wrote: > Hi, > > >>>>> On Sat, 2 Jan 2010 20:36:45 -0500 > >>>>> David Horn said: > > > dhorn2000> Yes, "me" matching either ipv4/ipv6 would certainly simplify the default > > dhorn2000> rc.firewall flow. > > > > Here is my proposed patch. ??With this patch, 'me' matches to both IPv4 > > and IPv6, and 'me4' is added for matching to only IPv4. > > dhorn2000> The patch for me4/me6 works perfect in my testing to date. I guess > dhorn2000> we would need to convince a larger audience to get consensus on > dhorn2000> changing the behavior for "me" token from just ipv4 to both ipv4/ipv6, > dhorn2000> but I personally think it is the right direction. > > Thank you for testing. > I've added current@ and net@ to Cc:. > It makes the IPv4/IPv6 dual stack rule definitely simpler that 'me' > matches to both IPv4 and IPv6. I think it is desired feature. > However, I'm not sure we actually need 'me4'. So, I split my previous > patch into two patches. The 1st patch makes 'me' matches to both IPv4 > and IPv6. The 2nd patch adds 'me4'. > If there is no objection, I'll commit the 1st patch. If someone want > 'me4', I'll commit the 2nd patch. We only need one 'me' option that matches v4 and v6, because the other two can be implemented as 'ip4 me' and 'ip6 me' at no extra cost (the code for 'me' only scans the list corresponding to the actual address family of the packet). I would actually vote for removing the 'me6' microinstruction from the kernel, and implement it in /sbin/ipfw by generating 'ip6 me'. Feel free to commit the change yourself. cheers luigi