Hi, >>>>> On Sat, 2 Jan 2010 20:36:45 -0500 >>>>> David Horn <dhorn2000_at_gmail.com> said: > dhorn2000> Yes, "me" matching either ipv4/ipv6 would certainly simplify the default > dhorn2000> rc.firewall flow. > > Here is my proposed patch. With this patch, 'me' matches to both IPv4 > and IPv6, and 'me4' is added for matching to only IPv4. dhorn2000> The patch for me4/me6 works perfect in my testing to date. I guess dhorn2000> we would need to convince a larger audience to get consensus on dhorn2000> changing the behavior for "me" token from just ipv4 to both ipv4/ipv6, dhorn2000> but I personally think it is the right direction. Thank you for testing. I've added current_at_ and net_at_ to Cc:. It makes the IPv4/IPv6 dual stack rule definitely simpler that 'me' matches to both IPv4 and IPv6. I think it is desired feature. However, I'm not sure we actually need 'me4'. So, I split my previous patch into two patches. The 1st patch makes 'me' matches to both IPv4 and IPv6. The 2nd patch adds 'me4'. If there is no objection, I'll commit the 1st patch. If someone want 'me4', I'll commit the 2nd patch. And, the 3rd patch is for rc.firewall. dhorn2000> ipfw(8) man page already shows: dhorn2000> me matches any IP address configured on an interface in the dhorn2000> system. dhorn2000> me6 matches any IPv6 address configured on an interface in dhorn2000> the system. The address list is evaluated at the time dhorn2000> the packet is analysed. I wish to believe this description about 'me' is correct. But, I'm not sure whether it is a feature or not. It might be that someone forgot to change it at the time when an IPv6 support was added to IPFW. Sincerely, -- Hajimu UMEMOTO _at_ Internet Mutual Aid Society Yokohama, Japan ume_at_mahoroba.org ume_at_{,jp.}FreeBSD.org http://www.imasy.org/~ume/
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:00 UTC