Unified rc.firewall ipfw me/me6 issue

Hajimu UMEMOTO ume at freebsd.org
Sun Jan 10 18:27:23 UTC 2010 

Hi,

>>>>> On Sat, 2 Jan 2010 20:36:45 -0500
>>>>> David Horn <dhorn2000 at gmail.com> said:

> dhorn2000> Yes, "me" matching either ipv4/ipv6 would certainly simplify the default
> dhorn2000> rc.firewall flow.
>
> Here is my proposed patch.  With this patch, 'me' matches to both IPv4
> and IPv6, and 'me4' is added for matching to only IPv4.

dhorn2000> The patch for me4/me6 works perfect in my testing to date.   I guess
dhorn2000> we would need to convince a larger audience to get consensus on
dhorn2000> changing the behavior for "me" token from just ipv4 to both ipv4/ipv6,
dhorn2000> but I personally think it is the right direction.

Thank you for testing.
I've added current@ and net@ to Cc:.
It makes the IPv4/IPv6 dual stack rule definitely simpler that 'me'
matches to both IPv4 and IPv6.  I think it is desired feature.
However, I'm not sure we actually need 'me4'.  So, I split my previous
patch into two patches.  The 1st patch makes 'me' matches to both IPv4
and IPv6.  The 2nd patch adds 'me4'.
If there is no objection, I'll commit the 1st patch.  If someone want
'me4', I'll commit the 2nd patch.
And, the 3rd patch is for rc.firewall.

dhorn2000> ipfw(8) man page already shows:

dhorn2000> me      matches any IP address configured on an interface in the
dhorn2000>                      system.

dhorn2000> me6     matches any IPv6 address configured on an interface in
dhorn2000>                      the system.  The address list is evaluated at the time
dhorn2000>                      the packet is analysed.

I wish to believe this description about 'me' is correct.  But, I'm
not sure whether it is a feature or not.  It might be that someone
forgot to change it at the time when an IPv6 support was added to
IPFW.

Sincerely,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipfw-me-unify.diff
Type: text/x-patch
Size: 1192 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20100110/3c3e5236/ipfw-me-unify.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipfw-me4.diff
Type: text/x-patch
Size: 5604 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20100110/3c3e5236/ipfw-me4.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rc.firewall-me-unify.diff
Type: text/x-patch
Size: 5638 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20100110/3c3e5236/rc.firewall-me-unify.bin
-------------- next part --------------

--
Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan
ume at mahoroba.org  ume@{,jp.}FreeBSD.org
http://www.imasy.org/~ume/

More information about the freebsd-net mailing list