Unified rc.firewall ipfw me/me6 issue
Luigi Rizzo
rizzo at iet.unipi.it
Sun Jan 10 18:44:29 UTC 2010
On Mon, Jan 11, 2010 at 03:27:13AM +0900, Hajimu UMEMOTO wrote:
> Hi,
>
> >>>>> On Sat, 2 Jan 2010 20:36:45 -0500
> >>>>> David Horn <dhorn2000 at gmail.com> said:
>
> > dhorn2000> Yes, "me" matching either ipv4/ipv6 would certainly simplify the default
> > dhorn2000> rc.firewall flow.
> >
> > Here is my proposed patch. ??With this patch, 'me' matches to both IPv4
> > and IPv6, and 'me4' is added for matching to only IPv4.
>
> dhorn2000> The patch for me4/me6 works perfect in my testing to date. I guess
> dhorn2000> we would need to convince a larger audience to get consensus on
> dhorn2000> changing the behavior for "me" token from just ipv4 to both ipv4/ipv6,
> dhorn2000> but I personally think it is the right direction.
>
> Thank you for testing.
> I've added current@ and net@ to Cc:.
> It makes the IPv4/IPv6 dual stack rule definitely simpler that 'me'
> matches to both IPv4 and IPv6. I think it is desired feature.
> However, I'm not sure we actually need 'me4'. So, I split my previous
> patch into two patches. The 1st patch makes 'me' matches to both IPv4
> and IPv6. The 2nd patch adds 'me4'.
> If there is no objection, I'll commit the 1st patch. If someone want
> 'me4', I'll commit the 2nd patch.
We only need one 'me' option that matches v4 and v6, because the
other two can be implemented as 'ip4 me' and 'ip6 me' at no extra
cost (the code for 'me' only scans the list corresponding to the
actual address family of the packet). I would actually vote for
removing the 'me6' microinstruction from the kernel, and implement
it in /sbin/ipfw by generating 'ip6 me'.
Feel free to commit the change yourself.
cheers
luigi
More information about the freebsd-current
mailing list