From owner-freebsd-current Mon Oct 28 7:38:47 2002 Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2F08E37B401; Mon, 28 Oct 2002 07:38:43 -0800 (PST) Received: from cheer.mahoroba.org (flets20-201.kamome.or.jp [218.45.20.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 58EC243E3B; Mon, 28 Oct 2002 07:38:42 -0800 (PST) (envelope-from ume@mahoroba.org) Received: from lyrics.mahoroba.org (IDENT:4wLf4tsEkyG3PVFeetd41YyKEubwDhtfUR1Te4i4t4+55D3HdkIL8zI591ZNfvfP@lyrics.mahoroba.org [IPv6:3ffe:505:2:0:280:88ff:fe03:4841]) (user=ume mech=CRAM-MD5 bits=0) by cheer.mahoroba.org (8.12.6/8.12.6) with ESMTP/inet6 id g9SFcdKv051111 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Tue, 29 Oct 2002 00:38:39 +0900 (JST) (envelope-from ume@mahoroba.org) Date: Tue, 29 Oct 2002 00:38:39 +0900 Message-ID: From: Hajimu UMEMOTO To: current@FreeBSD.org, net@FreeBSD.org Subject: [CFR] ipfilter IPv6 support in rc User-Agent: Wanderlust/2.9.15 (Unchained Melody) SEMI/1.14.4 (Hosorogi) FLIM/1.14.4 (=?ISO-8859-4?Q?Kashiharajing=FE-mae?=) APEL/10.4 Emacs/21.2 (i386--freebsd) MULE/5.0 (=?ISO-2022-JP?B?GyRCOC1MWhsoQg==?=) X-Operating-System: FreeBSD 5.0-CURRENT MIME-Version: 1.0 (generated by SEMI 1.14.4 - "Hosorogi") Content-Type: multipart/mixed; boundary="Multipart_Tue_Oct_29_00:38:39_2002-1" X-Virus-Scanned: by AMaViS-perl11-milter (http://amavis.org/) Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --Multipart_Tue_Oct_29_00:38:39_2002-1 Content-Type: text/plain; charset=US-ASCII Hi, Current rc doesn't support IPv6 setup for ipfilter. So I made the patches. The former is for both 4-STABLE and 5-CURRENT. In addition to the former one, 5-CURRENT requires the latter one for /etc/rc.d/ipfilter. This patch is not for /etc/rc.network6 as usual IPv6 related setups but for /etc/rc.network. I tried to add IPv6 part of ipfilter setups within /etc/rc.network6. However, it was difficult to do so. For example, flushing rules by `ipf -Fa' affects both IPv4 and IPv6. So, I gave up it, and expanded /etc/rc.network. Please review it. If there is no objection, I'll commit it at next weekend. Sincerely, --Multipart_Tue_Oct_29_00:38:39_2002-1 Content-Type: text/x-patch; charset=US-ASCII Content-Disposition: attachment; filename="rc.network-ipf6.diff" Content-Transfer-Encoding: 7bit Index: etc/defaults/rc.conf =================================================================== RCS file: /home/ncvs/src/etc/defaults/rc.conf,v retrieving revision 1.159 diff -u -r1.159 rc.conf --- etc/defaults/rc.conf 5 Sep 2002 20:14:40 -0000 1.159 +++ etc/defaults/rc.conf 28 Oct 2002 10:30:53 -0000 @@ -311,6 +311,10 @@ ipv6_firewall_quiet="NO" # Set to YES to suppress rule display ipv6_firewall_logging="NO" # Set to YES to enable events logging ipv6_firewall_flags="" # Flags passed to ip6fw when type is a file +ipv6_ipfilter_rules="/etc/ipf6.rules" # rules definition file for ipfilter, + # see /usr/src/contrib/ipfilter/rules + # for examples +ipv6_ipfilter_flags="" # additional flags for ipfilter ############################################################## ### System console options ################################# Index: etc/rc.network =================================================================== RCS file: /home/ncvs/src/etc/rc.network,v retrieving revision 1.137 diff -u -r1.137 rc.network --- etc/rc.network 20 Sep 2002 18:31:55 -0000 1.137 +++ etc/rc.network 28 Oct 2002 10:30:54 -0000 @@ -101,10 +101,20 @@ esac case "${ipfilter_enable}" in [Yy][Ee][Ss]) - if [ -r "${ipfilter_rules}" ]; then + if [ -r "${ipfilter_rules}" -o \ + -r "${ipv6_ipfilter_rules}" ]; then echo -n ' ipfilter' - ${ipfilter_program:-/sbin/ipf} -Fa -f \ - "${ipfilter_rules}" ${ipfilter_flags} + ${ipfilter_program:-/sbin/ipf} -Fa + if [ -r "${ipfilter_rules}" ]; then + ${ipfilter_program:-/sbin/ipf} \ + -f "${ipfilter_rules}" \ + ${ipfilter_flags} + fi + if [ -r "${ipv6_ipfilter_rules}" ]; then + ${ipfilter_program:-/sbin/ipf} -6 \ + -f "${ipv6_ipfilter_rules}" \ + ${ipv6_ipfilter_flags} + fi else ipfilter_enable="NO" echo -n ' NO IPF RULES' --Multipart_Tue_Oct_29_00:38:39_2002-1 Content-Type: text/x-patch; charset=US-ASCII Content-Disposition: attachment; filename="rc.d-ipfilter-ipv6.diff" Content-Transfer-Encoding: 7bit Index: etc/rc.d/ipfilter =================================================================== RCS file: /home/ncvs/src/etc/rc.d/ipfilter,v retrieving revision 1.4 diff -u -r1.4 ipfilter --- etc/rc.d/ipfilter 12 Oct 2002 10:31:31 -0000 1.4 +++ etc/rc.d/ipfilter 28 Oct 2002 10:59:20 -0000 @@ -16,7 +16,7 @@ case ${OSTYPE} in FreeBSD) - stop_precmd="test -f ${ipfilter_rules}" + stop_precmd="test -f ${ipfilter_rules} -o -f ${ipv6_ipfilter_rules}" ;; NetBSD) stop_precmd="test -f /etc/ipf.conf -o -f /etc/ipf6.conf" @@ -49,7 +49,8 @@ fi # check for ipfilter rules - if [ ! -r "${ipfilter_rules}" ]; then + if [ ! -r "${ipfilter_rules}" ] && [ ! -r "${ipv6_ipfilter_rules}" ] + then warn 'IP-filter: NO IPF RULES' return 1 fi @@ -78,8 +79,15 @@ echo "Enabling ipfilter." case ${OSTYPE} in FreeBSD) - ${ipfilter_program:-/sbin/ipf} -Fa -f \ - "${ipfilter_rules}" ${ipfilter_flags} + ${ipfilter_program:-/sbin/ipf} -Fa + if [ -r "${ipfilter_rules}" ]; then + ${ipfilter_program:-/sbin/ipf} \ + -f "${ipfilter_rules}" ${ipfilter_flags} + fi + if [ -r "${ipv6_ipfilter_rules}" ]; then + ${ipfilter_program:-/sbin/ipf} -6 \ + -f "${ipv6_ipfilter_rules}" ${ipv6_ipfilter_flags} + fi ;; NetBSD) /sbin/ipf -E -Fa @@ -114,8 +122,15 @@ case ${OSTYPE} in FreeBSD) - ${ipfilter_program:-/sbin/ipf} -I -Fa -f \ - "${ipfilter_rules}" ${ipfilter_flags} + ${ipfilter_program:-/sbin/ipf} -I -Fa + if [ -r "${ipfilter_rules}" ]; then + ${ipfilter_program:-/sbin/ipf} -I \ + -f "${ipfilter_rules}" ${ipfilter_flags} + fi + if [ -r "${ipv6_ipfilter_rules}" ]; then + ${ipfilter_program:-/sbin/ipf} -I -6 \ + -f "${ipv6_ipfilter_rules}" ${ipv6_ipfilter_flags} + fi ;; NetBSD) /sbin/ipf -I -Fa --Multipart_Tue_Oct_29_00:38:39_2002-1 Content-Type: text/plain; charset=US-ASCII -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan ume@mahoroba.org ume@bisd.hitachi.co.jp ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ --Multipart_Tue_Oct_29_00:38:39_2002-1-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message