Date: Mon, 23 Nov 2009 16:12:20 +0000 (UTC) From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: Hajimu UMEMOTO <ume@freebsd.org> Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org Subject: Re: [CFR] unified rc.firewall Message-ID: <20091123161013.X37440@maildrop.int.zabbadoz.net> In-Reply-To: <200911231056.15247.jhb@freebsd.org> References: <ygeljhyk1qg.wl%ume@mahoroba.org> <4B098D21.4040607@FreeBSD.org> <ygek4xhjmtp.wl%ume@mahoroba.org> <200911231056.15247.jhb@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 23 Nov 2009, John Baldwin wrote: > On Monday 23 November 2009 10:13:54 am Hajimu UMEMOTO wrote: >> Hi, >> >>>>>>> On Sun, 22 Nov 2009 11:12:33 -0800 >>>>>>> Doug Barton <dougb@FreeBSD.org> said: >> >> dougb> In rc.firewall you seem to have copied afexists() from network.subr. >> dougb> Is there a reason that you did not simply source that file? That > would >> dougb> be the preferred method. Also in that file you call "if afexists >> dougb> inet6" quite a few times. My preference from a performance standpoint >> dougb> would be to call it once, perhaps in a start_precmd then cache the > value. >> >> Thank you for the comments. >> Ah, yes, afexists() is only in 9-CURRENT, and is not MFC'ed into 8, >> yet. So, I thought the patch should be able to work on both 9 and 8, >> for review. I've changed to source network.subr for afexists(). >> Calling afexists() several times was not good idea. So, I've changed >> to call afexists() just once. >> The new patch is attached. >> >> dougb> And of course, you have regression tested this thoroughly, yes? :) >> dougb> Please include scenarios where there is no INET6 in the kernel as > well. >> >> Okay, I've tested it on INET6-less kernel, as well. > > Some comments I have: > > @@ -178,6 +212,16 @@ > # Allow any traffic to or from my own net. > ${fwcmd} add pass all from me to ${net} > ${fwcmd} add pass all from ${net} to me I haven't looked at the entire update but as I see this I shall note unless I missed a fix to ipfw, you need to make that ip and use ip6 and me6 for the new world order. Please make sure that this works as expected in mixed-world scenarios as well as legacy IP and IPv6 only worlds. /bz -- Bjoern A. Zeeb It will not break if you know what you are doing.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091123161013.X37440>