From owner-freebsd-current@FreeBSD.ORG Mon Nov 23 16:15:07 2009 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 846CF106566C; Mon, 23 Nov 2009 16:15:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [IPv6:2001:4068:10::3]) by mx1.freebsd.org (Postfix) with ESMTP id 0FBAD8FC27; Mon, 23 Nov 2009 16:15:07 +0000 (UTC) Received: from localhost (amavis.fra.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id C71E941C64A; Mon, 23 Nov 2009 17:15:05 +0100 (CET) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([192.168.74.103]) by localhost (amavis.fra.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id l45mUYSjC5+D; Mon, 23 Nov 2009 17:15:05 +0100 (CET) Received: by mail.cksoft.de (Postfix, from userid 66) id 5C5ED41C679; Mon, 23 Nov 2009 17:15:05 +0100 (CET) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 862C04448EC; Mon, 23 Nov 2009 16:12:20 +0000 (UTC) Date: Mon, 23 Nov 2009 16:12:20 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Hajimu UMEMOTO In-Reply-To: <200911231056.15247.jhb@freebsd.org> Message-ID: <20091123161013.X37440@maildrop.int.zabbadoz.net> References: <4B098D21.4040607@FreeBSD.org> <200911231056.15247.jhb@freebsd.org> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org Subject: Re: [CFR] unified rc.firewall X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Nov 2009 16:15:07 -0000 On Mon, 23 Nov 2009, John Baldwin wrote: > On Monday 23 November 2009 10:13:54 am Hajimu UMEMOTO wrote: >> Hi, >> >>>>>>> On Sun, 22 Nov 2009 11:12:33 -0800 >>>>>>> Doug Barton said: >> >> dougb> In rc.firewall you seem to have copied afexists() from network.subr. >> dougb> Is there a reason that you did not simply source that file? That > would >> dougb> be the preferred method. Also in that file you call "if afexists >> dougb> inet6" quite a few times. My preference from a performance standpoint >> dougb> would be to call it once, perhaps in a start_precmd then cache the > value. >> >> Thank you for the comments. >> Ah, yes, afexists() is only in 9-CURRENT, and is not MFC'ed into 8, >> yet. So, I thought the patch should be able to work on both 9 and 8, >> for review. I've changed to source network.subr for afexists(). >> Calling afexists() several times was not good idea. So, I've changed >> to call afexists() just once. >> The new patch is attached. >> >> dougb> And of course, you have regression tested this thoroughly, yes? :) >> dougb> Please include scenarios where there is no INET6 in the kernel as > well. >> >> Okay, I've tested it on INET6-less kernel, as well. > > Some comments I have: > > @@ -178,6 +212,16 @@ > # Allow any traffic to or from my own net. > ${fwcmd} add pass all from me to ${net} > ${fwcmd} add pass all from ${net} to me I haven't looked at the entire update but as I see this I shall note unless I missed a fix to ipfw, you need to make that ip and use ip6 and me6 for the new world order. Please make sure that this works as expected in mixed-world scenarios as well as legacy IP and IPv6 only worlds. /bz -- Bjoern A. Zeeb It will not break if you know what you are doing.