Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 30 Nov 2009 13:00:03 -0500
From:      John Baldwin <jhb@freebsd.org>
To:        Hajimu UMEMOTO <ume@freebsd.org>
Cc:        freebsd-net@freebsd.org, freebsd-current@freebsd.org, Doug Barton <dougb@freebsd.org>
Subject:   Re: [CFR] unified rc.firewall
Message-ID:  <200911301300.03324.jhb@freebsd.org>
In-Reply-To: <yged436d25v.wl%ume@mahoroba.org>
References:  <ygeljhyk1qg.wl%ume@mahoroba.org> <200911231255.26279.jhb@freebsd.org> <yged436d25v.wl%ume@mahoroba.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday 25 November 2009 11:01:16 am Hajimu UMEMOTO wrote:
> Hi,
> 
> >>>>> On Mon, 23 Nov 2009 12:55:25 -0500
> >>>>> John Baldwin <jhb@freebsd.org> said:
> 
> I updated the patch.
> 
> jhb> I had missed the me vs any.  It is true that the equivalent rule would use
> jhb> me6.  I would rather figure out the IPv6 bug so that TCP is treated the
> jhb> same for both protocols instead of having a weaker firewall for IPv6 than
> jhb> IPV4.
> 
> Yes, it is better, definitely.  I thought that we could change to use
> dynamic rule, once it was fixed.
> Since the PR kern/117234 fixed it, I changed to use dynamic rule for
> IPv6 as well.  So, it requires the patch in the PR.
> 
> jhb> I do find the shorter version easier to read, and it matches the existing
> jhb> style as well as the examples in the manual page, handbook, etc.
> 
> Okay, I changed 'ip6' to 'all' where we can use it, and stopped use of
> 'proto xxx'' as possible.
> 
> I reconsidered oif vs oif6 and iif vs iif6 issue.  Now, if
> $firewall_simple_oif_ipv6 is not set, $firewall_simple_oif is assumed
> for oif6, and, $firewall_simple_iif_ipv6 is not set,
> $firewall_simple_iif is assumed for iif6.
> Further, I think we don't assign a global IPv6 address to oif in
> usual.  So, I made $firewall_simple_onet_ipv6 optional.
> One more change is that DHCPv6 is allowed as well as IPv4 DHCP for
> WORKSTATION type.  I'm using DHCPv6 in usual; L2TP + DHCPv6 PD, DHCPv6
> DNS option ...
> 
> Sincerely,

I think you can just remove the ipv6_firewall_* variables from
/etc/defaults/rc.conf completely.  Perhaps you can use 'set_rcvar_obsolete'
in /etc/rc.firewall to emit a warning if ipv6_firewall_enable is defined?
Or maybe just emit an explicit warning in /etc/rc.firewall in that case?

Other than that I think this patch looks good.  Thanks for fixing this!

-- 
John Baldwin



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200911301300.03324.jhb>