From owner-freebsd-current@FreeBSD.ORG Mon Nov 30 19:18:04 2009 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E65E5106566B; Mon, 30 Nov 2009 19:18:04 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id BC52A8FC18; Mon, 30 Nov 2009 19:18:04 +0000 (UTC) Received: from bigwig.baldwin.cx (66.111.2.69.static.nyinternet.net [66.111.2.69]) by cyrus.watson.org (Postfix) with ESMTPSA id 75A7E46B09; Mon, 30 Nov 2009 14:18:04 -0500 (EST) Received: from jhbbsd.localnet (unknown [209.249.190.9]) by bigwig.baldwin.cx (Postfix) with ESMTPA id AEA358A021; Mon, 30 Nov 2009 14:18:03 -0500 (EST) From: John Baldwin To: Hajimu UMEMOTO Date: Mon, 30 Nov 2009 13:00:03 -0500 User-Agent: KMail/1.12.1 (FreeBSD/7.2-CBSD-20091103; KDE/4.3.1; amd64; ; ) References: <200911231255.26279.jhb@freebsd.org> In-Reply-To: MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-15" Content-Transfer-Encoding: 7bit Message-Id: <200911301300.03324.jhb@freebsd.org> X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0.1 (bigwig.baldwin.cx); Mon, 30 Nov 2009 14:18:03 -0500 (EST) X-Virus-Scanned: clamav-milter 0.95.1 at bigwig.baldwin.cx X-Virus-Status: Clean X-Spam-Status: No, score=-2.5 required=4.2 tests=AWL,BAYES_00,RDNS_NONE autolearn=no version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on bigwig.baldwin.cx Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org, Doug Barton Subject: Re: [CFR] unified rc.firewall X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Nov 2009 19:18:05 -0000 On Wednesday 25 November 2009 11:01:16 am Hajimu UMEMOTO wrote: > Hi, > > >>>>> On Mon, 23 Nov 2009 12:55:25 -0500 > >>>>> John Baldwin said: > > I updated the patch. > > jhb> I had missed the me vs any. It is true that the equivalent rule would use > jhb> me6. I would rather figure out the IPv6 bug so that TCP is treated the > jhb> same for both protocols instead of having a weaker firewall for IPv6 than > jhb> IPV4. > > Yes, it is better, definitely. I thought that we could change to use > dynamic rule, once it was fixed. > Since the PR kern/117234 fixed it, I changed to use dynamic rule for > IPv6 as well. So, it requires the patch in the PR. > > jhb> I do find the shorter version easier to read, and it matches the existing > jhb> style as well as the examples in the manual page, handbook, etc. > > Okay, I changed 'ip6' to 'all' where we can use it, and stopped use of > 'proto xxx'' as possible. > > I reconsidered oif vs oif6 and iif vs iif6 issue. Now, if > $firewall_simple_oif_ipv6 is not set, $firewall_simple_oif is assumed > for oif6, and, $firewall_simple_iif_ipv6 is not set, > $firewall_simple_iif is assumed for iif6. > Further, I think we don't assign a global IPv6 address to oif in > usual. So, I made $firewall_simple_onet_ipv6 optional. > One more change is that DHCPv6 is allowed as well as IPv4 DHCP for > WORKSTATION type. I'm using DHCPv6 in usual; L2TP + DHCPv6 PD, DHCPv6 > DNS option ... > > Sincerely, I think you can just remove the ipv6_firewall_* variables from /etc/defaults/rc.conf completely. Perhaps you can use 'set_rcvar_obsolete' in /etc/rc.firewall to emit a warning if ipv6_firewall_enable is defined? Or maybe just emit an explicit warning in /etc/rc.firewall in that case? Other than that I think this patch looks good. Thanks for fixing this! -- John Baldwin