From owner-freebsd-net@FreeBSD.ORG  Sun Nov 22 19:12:27 2009
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: net@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 309081065695
	for <net@FreeBSD.org>; Sun, 22 Nov 2009 19:12:27 +0000 (UTC)
	(envelope-from dougb@FreeBSD.org)
Received: from mail2.fluidhosting.com (mx21.fluidhosting.com [204.14.89.4])
	by mx1.freebsd.org (Postfix) with ESMTP id B62E88FC19
	for <net@FreeBSD.org>; Sun, 22 Nov 2009 19:12:26 +0000 (UTC)
Received: (qmail 323 invoked by uid 399); 22 Nov 2009 19:12:26 -0000
Received: from localhost (HELO foreign.dougb.net)
	(dougb@dougbarton.us@127.0.0.1)
	by localhost with ESMTPAM; 22 Nov 2009 19:12:26 -0000
X-Originating-IP: 127.0.0.1
X-Sender: dougb@dougbarton.us
Message-ID: <4B098D21.4040607@FreeBSD.org>
Date: Sun, 22 Nov 2009 11:12:33 -0800
From: Doug Barton <dougb@FreeBSD.org>
Organization: http://SupersetSolutions.com/
User-Agent: Thunderbird 2.0.0.23 (X11/20090822)
MIME-Version: 1.0
To: Hajimu UMEMOTO <ume@FreeBSD.org>
References: <ygeljhyk1qg.wl%ume@mahoroba.org>
In-Reply-To: <ygeljhyk1qg.wl%ume@mahoroba.org>
X-Enigmail-Version: 0.96.0
OpenPGP: id=D5B2F0FB
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: current@FreeBSD.org, net@FreeBSD.org
Subject: Re: [CFR] unified rc.firewall
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Nov 2009 19:12:27 -0000

Hajimu UMEMOTO wrote:
> Hi,
> 
> The ipfw and ip6fw were unified into ipfw2, now.  But, we still have
> rc.firewall and rc.firewall6.  However, there are conflicts with each
> other, and it confuses the users, IMHO.
> So, I made a patch to unify rc.firewall and rc.firewall6, and obsolete
> rc.firewall6 and rc.d/ip6fw.
> Please review the attached patch.  If there is no objection, I'll
> commit it in next weekend.

Overall I think this is good, and I'm definitely in favor of more
integration of IPv6 into the mainstream rather than something that is
glued on.

A few comments:
In rc.firewall you seem to have copied afexists() from network.subr.
Is there a reason that you did not simply source that file? That would
be the preferred method. Also in that file you call "if afexists
inet6" quite a few times. My preference from a performance standpoint
would be to call it once, perhaps in a start_precmd then cache the value.

And of course, you have regression tested this thoroughly, yes? :)
Please include scenarios where there is no INET6 in the kernel as well.


hth,

Doug

-- 

	Improve the effectiveness of your Internet presence with
	a domain name makeover!    http://SupersetSolutions.com/