Re: [CFR] unified rc.firewall

From: Bjoern A. Zeeb <bzeeb-lists_at_lists.zabbadoz.net>
Date: Mon, 23 Nov 2009 16:12:20 +0000 (UTC)
On Mon, 23 Nov 2009, John Baldwin wrote:

> On Monday 23 November 2009 10:13:54 am Hajimu UMEMOTO wrote:
>> Hi,
>>
>>>>>>> On Sun, 22 Nov 2009 11:12:33 -0800
>>>>>>> Doug Barton <dougb_at_FreeBSD.org> said:
>>
>> dougb> In rc.firewall you seem to have copied afexists() from network.subr.
>> dougb> Is there a reason that you did not simply source that file? That
> would
>> dougb> be the preferred method. Also in that file you call "if afexists
>> dougb> inet6" quite a few times. My preference from a performance standpoint
>> dougb> would be to call it once, perhaps in a start_precmd then cache the
> value.
>>
>> Thank you for the comments.
>> Ah, yes, afexists() is only in 9-CURRENT, and is not MFC'ed into 8,
>> yet.  So, I thought the patch should be able to work on both 9 and 8,
>> for review.  I've changed to source network.subr for afexists().
>> Calling afexists() several times was not good idea.  So, I've changed
>> to call afexists() just once.
>> The new patch is attached.
>>
>> dougb> And of course, you have regression tested this thoroughly, yes? :)
>> dougb> Please include scenarios where there is no INET6 in the kernel as
> well.
>>
>> Okay, I've tested it on INET6-less kernel, as well.
>
> Some comments I have:
>
> _at__at_ -178,6 +212,16 _at__at_
>        # Allow any traffic to or from my own net.
>        ${fwcmd} add pass all from me to ${net}
>        ${fwcmd} add pass all from ${net} to me

I haven't looked at the entire update but as I see this I shall note
unless I missed a fix to ipfw, you need to make that ip and use ip6
and me6 for the new world order.

Please make sure that this works as expected in mixed-world scenarios
as well as legacy IP and IPv6 only worlds.

/bz

-- 
Bjoern A. Zeeb         It will not break if you know what you are doing.
Received on Mon Nov 23 2009 - 15:15:07 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:58 UTC