[CFR] unified rc.firewall
    Bjoern A. Zeeb 
    bzeeb-lists at lists.zabbadoz.net
       
    Mon Nov 23 16:15:07 UTC 2009
    
    
  
On Mon, 23 Nov 2009, John Baldwin wrote:
> On Monday 23 November 2009 10:13:54 am Hajimu UMEMOTO wrote:
>> Hi,
>>
>>>>>>> On Sun, 22 Nov 2009 11:12:33 -0800
>>>>>>> Doug Barton <dougb at FreeBSD.org> said:
>>
>> dougb> In rc.firewall you seem to have copied afexists() from network.subr.
>> dougb> Is there a reason that you did not simply source that file? That
> would
>> dougb> be the preferred method. Also in that file you call "if afexists
>> dougb> inet6" quite a few times. My preference from a performance standpoint
>> dougb> would be to call it once, perhaps in a start_precmd then cache the
> value.
>>
>> Thank you for the comments.
>> Ah, yes, afexists() is only in 9-CURRENT, and is not MFC'ed into 8,
>> yet.  So, I thought the patch should be able to work on both 9 and 8,
>> for review.  I've changed to source network.subr for afexists().
>> Calling afexists() several times was not good idea.  So, I've changed
>> to call afexists() just once.
>> The new patch is attached.
>>
>> dougb> And of course, you have regression tested this thoroughly, yes? :)
>> dougb> Please include scenarios where there is no INET6 in the kernel as
> well.
>>
>> Okay, I've tested it on INET6-less kernel, as well.
>
> Some comments I have:
>
> @@ -178,6 +212,16 @@
>        # Allow any traffic to or from my own net.
>        ${fwcmd} add pass all from me to ${net}
>        ${fwcmd} add pass all from ${net} to me
I haven't looked at the entire update but as I see this I shall note
unless I missed a fix to ipfw, you need to make that ip and use ip6
and me6 for the new world order.
Please make sure that this works as expected in mixed-world scenarios
as well as legacy IP and IPv6 only worlds.
/bz
-- 
Bjoern A. Zeeb         It will not break if you know what you are doing.
    
    
More information about the freebsd-net
mailing list