Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 23 Nov 2009 16:12:20 +0000 (UTC)
From:      "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
To:        Hajimu UMEMOTO <ume@freebsd.org>
Cc:        freebsd-net@freebsd.org, freebsd-current@freebsd.org
Subject:   Re: [CFR] unified rc.firewall
Message-ID:  <20091123161013.X37440@maildrop.int.zabbadoz.net>
In-Reply-To: <200911231056.15247.jhb@freebsd.org>
References:  <ygeljhyk1qg.wl%ume@mahoroba.org> <4B098D21.4040607@FreeBSD.org> <ygek4xhjmtp.wl%ume@mahoroba.org> <200911231056.15247.jhb@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, 23 Nov 2009, John Baldwin wrote:

> On Monday 23 November 2009 10:13:54 am Hajimu UMEMOTO wrote:
>> Hi,
>>
>>>>>>> On Sun, 22 Nov 2009 11:12:33 -0800
>>>>>>> Doug Barton <dougb@FreeBSD.org> said:
>>
>> dougb> In rc.firewall you seem to have copied afexists() from network.subr.
>> dougb> Is there a reason that you did not simply source that file? That
> would
>> dougb> be the preferred method. Also in that file you call "if afexists
>> dougb> inet6" quite a few times. My preference from a performance standpoint
>> dougb> would be to call it once, perhaps in a start_precmd then cache the
> value.
>>
>> Thank you for the comments.
>> Ah, yes, afexists() is only in 9-CURRENT, and is not MFC'ed into 8,
>> yet.  So, I thought the patch should be able to work on both 9 and 8,
>> for review.  I've changed to source network.subr for afexists().
>> Calling afexists() several times was not good idea.  So, I've changed
>> to call afexists() just once.
>> The new patch is attached.
>>
>> dougb> And of course, you have regression tested this thoroughly, yes? :)
>> dougb> Please include scenarios where there is no INET6 in the kernel as
> well.
>>
>> Okay, I've tested it on INET6-less kernel, as well.
>
> Some comments I have:
>
> @@ -178,6 +212,16 @@
>        # Allow any traffic to or from my own net.
>        ${fwcmd} add pass all from me to ${net}
>        ${fwcmd} add pass all from ${net} to me

I haven't looked at the entire update but as I see this I shall note
unless I missed a fix to ipfw, you need to make that ip and use ip6
and me6 for the new world order.

Please make sure that this works as expected in mixed-world scenarios
as well as legacy IP and IPv6 only worlds.

/bz

-- 
Bjoern A. Zeeb         It will not break if you know what you are doing.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091123161013.X37440>