Date: Mon, 28 Apr 2008 12:13:27 GMT From: gavin@FreeBSD.org To: freebsd-rc@FreeBSD.org, oberman@es.net, gavin@FreeBSD.org, freebsd-ipfw@FreeBSD.org Subject: Re: conf/123119: [patch] rc script for ipfw does not handle IPv6 Message-ID: <200804281213.m3SCDR2o066588@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
Synopsis: [patch] rc script for ipfw does not handle IPv6 State-Changed-From-To: feedback->open State-Changed-By: gavin State-Changed-When: Mon Apr 28 12:11:36 UTC 2008 State-Changed-Why: Response received from submitter: -------- Forwarded Message -------- From: Kevin Oberman <oberman@es.net> Cc: freebsd-rc@FreeBSD.org, freebsd-ipfw@FreeBSD.org Date: Sun, 27 Apr 2008 14:40:02 -0700 > To submitter: as far as I can tell, starting and stopping the IPv6 > firewall is correctly handled in /etc/rc.d/ip6fw. Is there a reason > why you believe this is broken? ip6fw was added to the system back with V5.0 days (not fun days for FreeBSD) when ipfw was two separate modules, one for IPv4 and another for IPv6. makonnen wrote the required script for the IPv6 module back in 2002 and it has lived on with mostly small fixes to deal with changes in the startup scripts. Back in 2006, ipfw was re-worked to make it dual stack and it now is a single module with a single management CLI, ipfw(8) and rules for IPv4 and IPv6 can all be included in a single configuration file. It really makes no sense to have two very similar startup scripts, one with a fairly non-intuitive name, for a single function. It continues the approach that IPv6 is to be treated as something separate and not an integrated part of the OS and I see no real purpose served by the separation. Now that I have looked at ip6fw, I can see that the fix I recommended is not adequate, although it will prevent the problem I ran into when I thought I was stopping all of ipfw, only to find that I was still blocked from the system (except via the console). In my spare time (translate that to "it may take a while"), I'll look at a merge of the two rc scripts so that those with separate configuration files won't find things broken. (I suspect that there are not too many of those, but their firewalls really need to be preserved.) It looks simple on the surface, but I suspect there are a few corner cases that might be a bit tricky. I may even be able to come up with a solution to NDP (the IPv6 http://www.freebsd.org/cgi/query-pr.cgi?pr=123119
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200804281213.m3SCDR2o066588>