Date: Sun, 20 Sep 2009 22:40:18 +0900 (JST) From: Hiroki Sato <hrs@FreeBSD.org> To: dougb@FreeBSD.org Cc: freebsd-rc@FreeBSD.org Subject: Re: svn commit: r197145 - in head: etc/defaults share/man/man5 Message-ID: <20090920.224018.16368211.hrs@allbsd.org> In-Reply-To: <4AB15FCE.70505@FreeBSD.org> References: <200909122222.n8CMMV3d099311@svn.freebsd.org> <4AB15FCE.70505@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
----Security_Multipart0(Sun_Sep_20_22_40_18_2009_230)--
Content-Type: Multipart/Mixed;
boundary="--Next_Part(Sun_Sep_20_22_40_18_2009_389)--"
Content-Transfer-Encoding: 7bit
----Next_Part(Sun_Sep_20_22_40_18_2009_389)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Hi Doug,
First, I am sorry for the delayed response. I was in transit to UK to
attend EuroBSDCon and email application on my laptop was somewhat in a
bad state.
Doug Barton <dougb@FreeBSD.org> wrote
in <4AB15FCE.70505@FreeBSD.org>:
do> I realize that you've posted your patches in the past, and I
do> definitely had it in mind to review them in detail and give you
do> feedback on them. However I got focused on my own projects for the
do> pending release, and then since we were so close to the release I did
do> not think you would be committing these changes until after it was
do> done so I let review of these patches slip down my list of priorities.
do> Therefore I ask you to accept my apologies for this "after the fact"
do> review.
No problem. I am willing to listen to any opinions and discuss if
needed.
do> Before I forget, you keep putting "mfc after 3 days" in your commit
do> messages. You don't actually plan to MFC these changes to RELENG_8
do> prior to the 8.0-RELEASE do you? I would not be supportive of this
do> given the sweeping nature of the changes and the (unfortunately) small
do> percentage of our userbase that uses and tests IPv6. I think shaking
do> this code out in HEAD for several weeks at least would be a good thing.
I am still want to merge it into 8.0R because this includes a
user-visible change and the major version bump is a good timing.
What I want to do are:
- Make ND6_IFF_ACCEPT_RTADV a per-IF flag and turn it off by default.
Accepting Router Advertisement by default on all interfaces when
ipv6_enable=YES is too aggressive (explained later). Also, I
personally think RA should be accepted when the user specifies it
explicitly. We do not enable DHCP for IPv4 automatically when no
manual configuration is in rc.conf, for example.
IPv6 RFCs explains IPv6 nodes are classified as a host node and a
router, and a host may perform automatic address configuration by
DHCPv6, SLAAC or so. In practice, however, a FreeBSD box does not
always have only IPv6 interfaces. Some people may want to use one
of the interfaces for IPv4 only, and some want to use one for IPv6
with a manual configuration. The current implementation does not
allow it and ipv6_enable=YES forces receiving RA enable on
interfaces with no configuration.
- Remove ipv6_enable. It is a very confusing knob because a kernel
with INET6 (in GENERIC, as you know) supports IPv6 and it is
unclear that "what will be done on what interface". In earlier
days when IPv6 was an additional component maintained outside the
tree it was okay. However, it is now tightly integrated and I
believe IPv6 configuration should be done in a consistent way with
IPv4 (at least) wherever we can do so. For IPv4, what we need is
simply adding $ifconfig_IF (and $ifconfig_IF_aliasN if needed).
So, they should work for IPv6 instead of "ipv6_"-prefixed
variables.
The user-visible changes I added are the following:
1. $ipv6_enable is obsolete. Simply adding $ifconfig_IF_ipv6
works.
2. $ipv6_ifconfig_IF is obsolete. Use $ifconfig_IF_ipv6 instead.
Note that $ifconfig_IF_ipv6 does NOT automatically add "inet6"
keyword.
3. For people who do not want to IPv6 at all (for security reason
for example), interfaces with no manual configuration for IPv6
are marked as ND6_IFF_IFDISABLED by rc.d/netif. If you do not
mind IPv6 is enabled for all interfaces, set $ipv6_prefer=YES.
Even if $ipv6_prefer=NO (default), configurations by
$ipv6_ifconfig_IF and so on work. Also, you can disable IPv6 on
only one interface by using "ifconfig IF inet6 ifdisabled" in
$ifconfig_IF_ipv6.
One thing you have to be careful is source address selection by
ip6addrctl(8). When both IPv4 and IPv6 are usable, which is
used is controlled by it. IPv4 is preferred when
$ipv6_prefer=NO, and IPv6 is preferred when $ipv6_prefer=YES.
4. A link-local address is almost always added to an interface.
The link-local address is automatically assigned to an interface
and can be used for IPv6 communication such as SSH.
I remember there was a discussion that network communication on
an interface should not be enabled if there is no configuration.
And in our default configuration ($ipv6_enable=NO) this address
is not assigned. However, the link-local address is essential
for IPv6 functionality and we cannot remove it if we need IPv6
communication on that interface. Something like "ifconfig fxp0
inet6 2001:db8::1/64" can assign the IPv6 address to an
interface even if it has no link-local address, it can lead
unexpected behaviors.
So, as a compromised way, I added the change described in "3."
above. A link-local address is always assigned, but no
communication is allowed in that interface when it is marked as
IFDISABLED. The rc.d/netif script marks an interface as
IFDISABLED only when "$ipv6_prefer=NO and no $ifconfig_IF_ipv6".
5. If you want to enable SLAAC (State-Less Address
AutoConfiguration), simply add "accept_rtadv" to
$ifconfig_IF_ipv6. It works in a per-IF basis.
After all, $ipv6_enable does too many things, IMHO. It detects
whether it is a host node or a router, and then if a host it
enables accepting RA on almost all interfaces and sends out a
Router Solicitation message for SLAAC. We need a more fine-grained
way and consistency with way for IPv4.
After committing my patch, I noticed there were some rough edges
and bugs, and it needs more backward compatibility knob handling.
I am appreciated it if you could review the attached patch. The
backward compatibility handling and incompatibilities are the
following:
a) When $ipv6_enable=YES is defined, it means $ipv6_prefer=YES and
all interfaces with IPv6 configuration (it means
$ifconfig_IF_ipv6 exists in rc.conf) accepts RA by default.
This is almost the same behavior in the prior releases.
b) If an $ipv6_ifconfig_IF="xxx" is defined, it is translated to
$ifconfig_IF_ipv6="inet6 xxx" and display a warning.
c) If an $ipv6_ifconfig_IF_aliasN="xxx" is defined, it is
translated to $ifconfig_IF_aliasN="inter xxx" after evaluating
the other $ifconfig_IF_aliasN. A warning is displayed.
So, in short, follow them to migrate to the new world:
- If you use $ipv6_enable=YES, use $ipv6_prefer=YES instead. If
$ipv6_prefer=NO or no $ipv6_prefer, you can still use IPv6 but
interfaces with no $ifconfig_IF_ipv6 are automatically disabled.
Note that only IPv6 functionality on that interface is disabled.
IPv4 communication works, and other interfaces with
$ifconfig_IF_ipv6 work, too. This means you can enable IPv6
functionality only on interfaces with $ifconfig_IF_ipv6 when
$ipv6_prefer=NO. If you do not mind IPv6 is enabled on all
interfaces, use $ipv6_prefer=YES. In both cases, link-local
address is assigned automatically.
- If you use $ipv6_ifconfig_IF, use $ifconfig_IF_ipv6 instead. Do
not forget adding "inet6" keyword.
- If you use $ipv6_ifconfig_IF_aliasN, use $ifconfig_IF_aliasN in
the same way as IPv4. Do not forget adding "inet6" keyword.
- If you use Router Advertisement and SLAAC in your environment, add
"accept_rtadv" keyword to appropriate $ifconfig_IF_ipv6.
I think these are enough for backward compatibility. Please note
that above descriptions are based on the committed patch and the
attached additional patch. The committed patch does not support
$ipv6_enable.
I am sorry for committing them without detail explanations behind the
change. Hope the above (lengthy) sentences helps your understanding
what I want to do.
do> In general I have a problem with the idea of drastically changing the
do> semantics of the current code when I can't see any real value in doing
do> so. I object to this change specifically because on my laptop I really
do> like having the ability to easily disable IPv6 when I am not on my
do> home network.
do>
do> My preferred scenario would be something similar to what we have now,
do> which is that if ipv6_enable is set that it takes the same list of
do> interfaces as ipv4 (defaults to AUTO) and that rtadv is enabled by
do> default for each of those interfaces. My feeling is that this not only
do> significantly reduces POLA it will also more precisely fit the way
do> that the vast majority of our users will actually use IPv6.
do>
do> On a "marketing" note I really think it would be valuable to make it
do> as easy as possible for the average user to get IPv6 working. We have
do> IPv4 down to it more or less "just works," I think IPv6 should be the
do> same way. (On a side note, I'd actually like to see DHCP be the
do> default for IPv4 such that if you have DHCP available on a network you
do> wouldn't have to do any configuration at all to get FreeBSD on line,
do> but that's a whole other topic.)
Yes, I completely agree. I am also concerned about POLA, and decide
to add support of $ipv6_enable to recede the astonishment. I would
like your comments on my goal by combination of the committed and the
attached patch.
do> > - Receiving ICMPv6 Router Advertisement is not automatically
do> > enabled even if there is no manual configuration of IPv6 in
do> > rc.conf. If you want it, define
do> > ifconfig_xxx_ipv6="inet6 ... accept_rtadv".
do>
do> What is the reason for this change? While I am definitely in favor of
do> making it easier to disable rtadv, I still think it should be the
do> default.
I think this may be a moot point. As explained above, I think
"$ipv6_enable on a host, not a router, and no IPv6 configuration
always means receiving RA" is too aggressive. No configuration should
be no configuration, does not mean "I want RA". "Specifying it
explicitly if you want it, no configuration if you don't" is safer
and consistent.
Another concern I have is the fact that RA includes default router
address and the box configures the default route based on it. This
means it can override manually-configured default route. If it
handles only prefix-list then receiving RA by default would be okay,
but I think we have to be more careful to whether we accepts it or
not.
Anyway, $ipv6_enable knob support in the attached patch emulates the
old behavior. My approach may not be the best, but the concern was
as I explained. Any comments are welcome.
do> > - The rc.d/ip6addrctl now chooses address selection policy based
do> > on $ipv6_prefer, not $ipv6_enable. The default is
do> > ipv6_prefer=NO.
do>
do> Once again, what is the reason for this change? My read of the
do> IPv6-using community is that if they have it available they want to
do> use it as a first choice. I know that is certainly my preference.
Because IMHO the name $ipv6_enable was inappropriate (IPv6 is enabled
by kernel already) from the start, and I want to use a new name
rather than changing behavior of the old variable since they are not
identical to each other.
My patch virtually narrows the behavior down to 1) whether it marks
non-manually-configured interfaces as IFDISABLED or not, and 2)
whether it uses or not IPv6 address rather than IPv4 address when the
both are available. Also, people can notice that the variable is
changed if the name is different.
I understand the feeling that we do not want to change a
long-standing practice for IPv6 configuration. I want to fix such
inconsistencies and make the IPv6 enabled by default on this occasion
of the major version bump.
-- Hiroki
----Next_Part(Sun_Sep_20_22_40_18_2009_389)--
Content-Type: Text/X-Patch; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="etc.diff"
Index: etc/network.subr
===================================================================
--- etc/network.subr (revision 197340)
+++ etc/network.subr (working copy)
@@ -97,15 +97,26 @@
if afexists inet6; then
if ipv6if $1; then
if checkyesno ipv6_gateway_enable; then
- _ipv6_opts="-accept_rtadv auto_linklocal"
+ _ipv6_opts="-accept_rtadv"
+ fi
+ else
+ if checkyesno ipv6_prefer; then
+ _ipv6_opts="-ifdisabled"
else
- _ipv6_opts="auto_linklocal"
+ _ipv6_opts="ifdisabled"
fi
- else
- _ipv6_opts="-auto_linklocal ifdisabled"
+
+ # backward compatibility: $ipv6_enable
+ case $ipv6_enable in
+ [Yy][Ee][Ss])
+ _ipv6_opts="${_ipv6_opts} accept_rtadv"
+ ;;
+ esac
fi
- ifconfig $1 inet6 ${_ipv6_opts}
+ if [ -n "${_ipv6_opts}" ]; then
+ ifconfig $1 inet6 ${_ipv6_opts}
+ fi
# ifconfig_IF_ipv6
ifconfig_args=`ifconfig_getargs $1 ipv6`
@@ -382,7 +393,7 @@
# 1 otherwise.
ipv6if()
{
- local _if i
+ local _if _tmpargs i
_if=$1
if ! afexists inet6; then
@@ -396,6 +407,18 @@
;;
esac
+ # True if $ifconfig_IF_ipv6 is defined.
+ _tmpargs=`_ifconfig_getargs $_if ipv6`
+ if [ -n "${_tmpargs}" ]; then
+ return 0
+ fi
+
+ # backward compatibility: True if $ipv6_ifconfig_IF is defined.
+ _tmpargs=`get_if_var $_if ipv6_ifconfig_IF`
+ if [ -n "${_tmpargs}" ]; then
+ return 0
+ fi
+
case "${ipv6_network_interfaces}" in
[Aa][Uu][Tt][Oo])
return 0
@@ -431,17 +454,30 @@
if checkyesno ipv6_gateway_enable; then
return 1
fi
+ _tmpargs=`get_if_var $_if ipv6_prefix_IF`
+ if [ -n "${_tmpargs}" ]; then
+ return 1
+ fi
case $_if in
lo0|\
stf[0-9]*|\
faith[0-9]*|\
lp[0-9]*|\
- sl[0-9]*)
+ sl[0-9]*|\
+ pflog[0-9]*|\
+ pfsync[0-9]*)
return 1
;;
esac
+ # backward compatibility: $ipv6_enable
+ case $ipv6_enable in
+ [Yy][Ee][Ss])
+ return 0
+ ;;
+ esac
+
_tmpargs=`_ifconfig_getargs $_if ipv6`
for _arg in $_tmpargs; do
case $_arg in
@@ -451,6 +487,16 @@
esac
done
+ # backward compatibility: $ipv6_ifconfig_IF
+ _tmpargs=`get_if_var $_if ipv6_ifconfig_IF`
+ for _arg in $_tmpargs; do
+ case $_arg in
+ accept_rtadv)
+ return 0
+ ;;
+ esac
+ done
+
return 1
}
@@ -691,7 +737,7 @@
;;
*)
ifconfig $1 inet6 ${ifconfig_args} alias && _ret=0
- warn "\$ipv6_ifconfig_$1_alias${alias} is obsolete."
+ warn "\$ipv6_ifconfig_$1_alias${alias} is obsolete." \
" Use ifconfig_$1_aliasN instead."
;;
esac
@@ -773,6 +819,7 @@
done
# backward compatibility: ipv6_ifconfig_IF_aliasN.
+ alias=0
while : ; do
ifconfig_args=`get_if_var $1 ipv6_ifconfig_IF_alias${alias}`
case "${ifconfig_args}" in
@@ -780,13 +827,12 @@
break
;;
*)
- ifconfig $1 inet6 ${ifconfig_args} -alias
- alias=$((${alias} + 1))
- warn "\$ipv6_ifconfig_$1_alias${alias} is obsolete."
+ ifconfig $1 inet6 ${ifconfig_args} -alias && _ret=0
+ warn "\$ipv6_ifconfig_$1_alias${alias} is obsolete." \
" Use ifconfig_$1_aliasN instead."
- _ret=0
;;
esac
+ alias=$((${alias} + 1))
done
return $_ret
Index: etc/rc.d/netif
===================================================================
--- etc/rc.d/netif (revision 197340)
+++ etc/rc.d/netif (working copy)
@@ -41,7 +41,7 @@
extra_commands="cloneup clonedown"
cmdifn=
-set_rcvar_obsolete ipv6_enable
+set_rcvar_obsolete ipv6_enable ipv6_prefer
network_start()
{
Index: etc/rc.d/ip6addrctl
===================================================================
--- etc/rc.d/ip6addrctl (revision 197340)
+++ etc/rc.d/ip6addrctl (working copy)
@@ -19,6 +19,8 @@
prefer_ipv6_cmd="ip6addrctl_prefer_ipv6"
prefer_ipv4_cmd="ip6addrctl_prefer_ipv4"
+set_rcvar_obsolete ipv6_enable ipv6_prefer
+
ip6addrctl_prefer_ipv6()
{
ip6addrctl flush >/dev/null 2>&1
Index: etc/rc.d/rtadvd
===================================================================
--- etc/rc.d/rtadvd (revision 197340)
+++ etc/rc.d/rtadvd (working copy)
@@ -43,7 +43,10 @@
case ${rtadvd_interfaces} in
[Aa][Uu][Tt][Oo]|'')
for i in `ifconfig -l` ; do
- if is_wired_interface $1; then
+ case $i in
+ lo0) continue ;;
+ esac
+ if ipv6if $i; then
rtadvd_interfaces="${rtadvd_interfaces} ${i}"
fi
done
----Next_Part(Sun_Sep_20_22_40_18_2009_389)----
----Security_Multipart0(Sun_Sep_20_22_40_18_2009_230)--
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)
iEYEABECAAYFAkq2MMIACgkQTyzT2CeTzy3jlwCgx+jB5G2SwNoJDdUxDvXnf0Ip
+GAAniQz8CEXHNOEl8FOob/ljgeVBBNL
=e82d
-----END PGP SIGNATURE-----
----Security_Multipart0(Sun_Sep_20_22_40_18_2009_230)----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090920.224018.16368211.hrs>