conf/123119: [patch] rc script for ipfw does not handle IPv6
gavin at FreeBSD.org
gavin at FreeBSD.org
Mon Apr 28 12:13:28 UTC 2008
Synopsis: [patch] rc script for ipfw does not handle IPv6
State-Changed-From-To: feedback->open
State-Changed-By: gavin
State-Changed-When: Mon Apr 28 12:11:36 UTC 2008
State-Changed-Why:
Response received from submitter:
-------- Forwarded Message --------
From: Kevin Oberman <oberman at es.net>
Cc: freebsd-rc at FreeBSD.org, freebsd-ipfw at FreeBSD.org
Date: Sun, 27 Apr 2008 14:40:02 -0700
> To submitter: as far as I can tell, starting and stopping the IPv6
> firewall is correctly handled in /etc/rc.d/ip6fw. Is there a reason
> why you believe this is broken?
ip6fw was added to the system back with V5.0 days (not fun days for
FreeBSD) when ipfw was two separate modules, one for IPv4 and another
for IPv6. makonnen wrote the required script for the IPv6 module back in
2002 and it has lived on with mostly small fixes to deal with changes in
the startup scripts.
Back in 2006, ipfw was re-worked to make it dual stack and it now is a
single module with a single management CLI, ipfw(8) and rules for IPv4
and IPv6 can all be included in a single configuration file.
It really makes no sense to have two very similar startup scripts, one
with a fairly non-intuitive name, for a single function. It continues
the approach that IPv6 is to be treated as something separate and not an
integrated part of the OS and I see no real purpose served by the
separation.
Now that I have looked at ip6fw, I can see that the fix I recommended is
not adequate, although it will prevent the problem I ran into when I
thought I was stopping all of ipfw, only to find that I was still
blocked from the system (except via the console).
In my spare time (translate that to "it may take a while"), I'll look at
a merge of the two rc scripts so that those with separate configuration
files won't find things broken. (I suspect that there are not too many
of those, but their firewalls really need to be preserved.) It looks
simple on the surface, but I suspect there are a few corner cases that
might be a bit tricky.
I may even be able to come up with a solution to NDP (the IPv6
http://www.freebsd.org/cgi/query-pr.cgi?pr=123119
More information about the freebsd-ipfw
mailing list