Re: [CFR] unified rc.firewall
- From: John Baldwin <jhb@xxxxxxxxxxx>
- Date: Mon, 30 Nov 2009 13:00:03 -0500
On Wednesday 25 November 2009 11:01:16 am Hajimu UMEMOTO wrote:
On Mon, 23 Nov 2009 12:55:25 -0500
John Baldwin <jhb@xxxxxxxxxxx> said:
I updated the patch.
jhb> I had missed the me vs any. It is true that the equivalent rule would use
jhb> me6. I would rather figure out the IPv6 bug so that TCP is treated the
jhb> same for both protocols instead of having a weaker firewall for IPv6 than
Yes, it is better, definitely. I thought that we could change to use
dynamic rule, once it was fixed.
Since the PR kern/117234 fixed it, I changed to use dynamic rule for
IPv6 as well. So, it requires the patch in the PR.
jhb> I do find the shorter version easier to read, and it matches the existing
jhb> style as well as the examples in the manual page, handbook, etc.
Okay, I changed 'ip6' to 'all' where we can use it, and stopped use of
'proto xxx'' as possible.
I reconsidered oif vs oif6 and iif vs iif6 issue. Now, if
$firewall_simple_oif_ipv6 is not set, $firewall_simple_oif is assumed
for oif6, and, $firewall_simple_iif_ipv6 is not set,
$firewall_simple_iif is assumed for iif6.
Further, I think we don't assign a global IPv6 address to oif in
usual. So, I made $firewall_simple_onet_ipv6 optional.
One more change is that DHCPv6 is allowed as well as IPv4 DHCP for
WORKSTATION type. I'm using DHCPv6 in usual; L2TP + DHCPv6 PD, DHCPv6
DNS option ...
I think you can just remove the ipv6_firewall_* variables from
/etc/defaults/rc.conf completely. Perhaps you can use 'set_rcvar_obsolete'
in /etc/rc.firewall to emit a warning if ipv6_firewall_enable is defined?
Or maybe just emit an explicit warning in /etc/rc.firewall in that case?
Other than that I think this patch looks good. Thanks for fixing this!
freebsd-current@xxxxxxxxxxx mailing list
To unsubscribe, send any mail to "freebsd-current-unsubscribe@xxxxxxxxxxx"
- Prev by Date: Re: dummynet issues
- Next by Date: Re: dummynet issues
- Previous by thread: Re: [CFR] unified rc.firewall
- Next by thread: mount_smbfs lock order traversal kernel segfault