Site Navigation

Date:      Tue, 29 Oct 2002 00:38:39 +0900
From:      Hajimu UMEMOTO <ume@mahoroba.org>
To:        current@FreeBSD.org, net@FreeBSD.org
Subject:   [CFR] ipfilter IPv6 support in rc
Message-ID:  <ygelm4ishds.wl%ume@mahoroba.org>

---

next in thread | raw e-mail | index | archive | help

---

--Multipart_Tue_Oct_29_00:38:39_2002-1
Content-Type: text/plain; charset=US-ASCII

Hi,

Current rc doesn't support IPv6 setup for ipfilter.  So I made the
patches.  The former is for both 4-STABLE and 5-CURRENT.  In addition
to the former one, 5-CURRENT requires the latter one for
/etc/rc.d/ipfilter.
This patch is not for /etc/rc.network6 as usual IPv6 related setups
but for /etc/rc.network.  I tried to add IPv6 part of ipfilter setups
within /etc/rc.network6.  However, it was difficult to do so.  For
example, flushing rules by `ipf -Fa' affects both IPv4 and IPv6.  So,
I gave up it, and expanded /etc/rc.network.
Please review it.  If there is no objection, I'll commit it at next
weekend.

Sincerely,


--Multipart_Tue_Oct_29_00:38:39_2002-1
Content-Type: text/x-patch; charset=US-ASCII
Content-Disposition: attachment; filename="rc.network-ipf6.diff"
Content-Transfer-Encoding: 7bit

Index: etc/defaults/rc.conf
===================================================================
RCS file: /home/ncvs/src/etc/defaults/rc.conf,v
retrieving revision 1.159
diff -u -r1.159 rc.conf
--- etc/defaults/rc.conf	5 Sep 2002 20:14:40 -0000	1.159
+++ etc/defaults/rc.conf	28 Oct 2002 10:30:53 -0000
@@ -311,6 +311,10 @@
 ipv6_firewall_quiet="NO"	# Set to YES to suppress rule display
 ipv6_firewall_logging="NO"	# Set to YES to enable events logging
 ipv6_firewall_flags=""		# Flags passed to ip6fw when type is a file
+ipv6_ipfilter_rules="/etc/ipf6.rules"	# rules definition file for ipfilter,
+					# see /usr/src/contrib/ipfilter/rules
+					# for examples
+ipv6_ipfilter_flags=""		# additional flags for ipfilter
 
 ##############################################################
 ###  System console options  #################################
Index: etc/rc.network
===================================================================
RCS file: /home/ncvs/src/etc/rc.network,v
retrieving revision 1.137
diff -u -r1.137 rc.network
--- etc/rc.network	20 Sep 2002 18:31:55 -0000	1.137
+++ etc/rc.network	28 Oct 2002 10:30:54 -0000
@@ -101,10 +101,20 @@
 		esac
 		case "${ipfilter_enable}" in
 		[Yy][Ee][Ss])
-			if [ -r "${ipfilter_rules}" ]; then
+			if [ -r "${ipfilter_rules}" -o \
+			     -r "${ipv6_ipfilter_rules}" ]; then
 				echo -n ' ipfilter'
-				${ipfilter_program:-/sbin/ipf} -Fa -f \
-				    "${ipfilter_rules}" ${ipfilter_flags}
+				${ipfilter_program:-/sbin/ipf} -Fa
+				if [ -r "${ipfilter_rules}" ]; then
+					${ipfilter_program:-/sbin/ipf} \
+					    -f "${ipfilter_rules}" \
+					    ${ipfilter_flags}
+				fi
+				if [ -r "${ipv6_ipfilter_rules}" ]; then
+					${ipfilter_program:-/sbin/ipf} -6 \
+					    -f "${ipv6_ipfilter_rules}" \
+					    ${ipv6_ipfilter_flags}
+				fi
 			else
 				ipfilter_enable="NO"
 				echo -n ' NO IPF RULES'

--Multipart_Tue_Oct_29_00:38:39_2002-1
Content-Type: text/x-patch; charset=US-ASCII
Content-Disposition: attachment; filename="rc.d-ipfilter-ipv6.diff"
Content-Transfer-Encoding: 7bit

Index: etc/rc.d/ipfilter
===================================================================
RCS file: /home/ncvs/src/etc/rc.d/ipfilter,v
retrieving revision 1.4
diff -u -r1.4 ipfilter
--- etc/rc.d/ipfilter	12 Oct 2002 10:31:31 -0000	1.4
+++ etc/rc.d/ipfilter	28 Oct 2002 10:59:20 -0000
@@ -16,7 +16,7 @@
 
 case ${OSTYPE} in
 FreeBSD)
-	stop_precmd="test -f ${ipfilter_rules}"
+	stop_precmd="test -f ${ipfilter_rules} -o -f ${ipv6_ipfilter_rules}"
 	;;
 NetBSD)
 	stop_precmd="test -f /etc/ipf.conf -o -f /etc/ipf6.conf"
@@ -49,7 +49,8 @@
 	fi
 
 	# check for ipfilter rules
-	if [ ! -r "${ipfilter_rules}" ]; then
+	if [ ! -r "${ipfilter_rules}" ] && [ ! -r "${ipv6_ipfilter_rules}" ]
+	then
 		warn 'IP-filter: NO IPF RULES'
 		return 1
 	fi
@@ -78,8 +79,15 @@
 	echo "Enabling ipfilter."
 	case ${OSTYPE} in
 	FreeBSD)
-		${ipfilter_program:-/sbin/ipf} -Fa -f \
-		    "${ipfilter_rules}" ${ipfilter_flags}
+		${ipfilter_program:-/sbin/ipf} -Fa
+		if [ -r "${ipfilter_rules}" ]; then
+			${ipfilter_program:-/sbin/ipf} \
+			    -f "${ipfilter_rules}" ${ipfilter_flags}
+		fi
+		if [ -r "${ipv6_ipfilter_rules}" ]; then
+			${ipfilter_program:-/sbin/ipf} -6 \
+			    -f "${ipv6_ipfilter_rules}" ${ipv6_ipfilter_flags}
+		fi
 		;;
 	NetBSD)
 		/sbin/ipf -E -Fa
@@ -114,8 +122,15 @@
 
 	case ${OSTYPE} in
 	FreeBSD)
-		${ipfilter_program:-/sbin/ipf} -I -Fa -f \
-		    "${ipfilter_rules}" ${ipfilter_flags}
+		${ipfilter_program:-/sbin/ipf} -I -Fa
+		if [ -r "${ipfilter_rules}" ]; then
+			${ipfilter_program:-/sbin/ipf} -I \
+			    -f "${ipfilter_rules}" ${ipfilter_flags}
+		fi
+		if [ -r "${ipv6_ipfilter_rules}" ]; then
+			${ipfilter_program:-/sbin/ipf} -I -6 \
+			    -f "${ipv6_ipfilter_rules}" ${ipv6_ipfilter_flags}
+		fi
 		;;
 	NetBSD)
 		/sbin/ipf -I -Fa

--Multipart_Tue_Oct_29_00:38:39_2002-1
Content-Type: text/plain; charset=US-ASCII

--
Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan
ume@mahoroba.org  ume@bisd.hitachi.co.jp  ume@{,jp.}FreeBSD.org
http://www.imasy.org/~ume/

--Multipart_Tue_Oct_29_00:38:39_2002-1--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ygelm4ishds.wl%ume>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact