Date: Sun, 10 Jan 2010 19:52:32 +0100 From: Luigi Rizzo <rizzo@iet.unipi.it> To: Hajimu UMEMOTO <ume@freebsd.org> Cc: freebsd-net@freebsd.org, freebsd-current@freebsd.org, David Horn <dhorn2000@gmail.com>, freebsd-ipfw@freebsd.org Subject: Re: Unified rc.firewall ipfw me/me6 issue Message-ID: <20100110185232.GA27907@onelab2.iet.unipi.it> In-Reply-To: <yge8wc5u872.wl%ume@mahoroba.org> References: <25ff90d60912162320y286e37a0ufeb64397716d8c18@mail.gmail.com> <ygek4wmyp3j.wl%ume@mahoroba.org> <25ff90d60912180612y2b1f64fbw34b4d7f648762087@mail.gmail.com> <yged42c4770.wl%ume@mahoroba.org> <25ff90d61001021736p7b695197q104f4a7769b51b71@mail.gmail.com> <yge8wc5u872.wl%ume@mahoroba.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 11, 2010 at 03:27:13AM +0900, Hajimu UMEMOTO wrote: > Hi, > > >>>>> On Sat, 2 Jan 2010 20:36:45 -0500 > >>>>> David Horn <dhorn2000@gmail.com> said: > > > dhorn2000> Yes, "me" matching either ipv4/ipv6 would certainly simplify the default > > dhorn2000> rc.firewall flow. > > > > Here is my proposed patch. ??With this patch, 'me' matches to both IPv4 > > and IPv6, and 'me4' is added for matching to only IPv4. > > dhorn2000> The patch for me4/me6 works perfect in my testing to date. I guess > dhorn2000> we would need to convince a larger audience to get consensus on > dhorn2000> changing the behavior for "me" token from just ipv4 to both ipv4/ipv6, > dhorn2000> but I personally think it is the right direction. > > Thank you for testing. > I've added current@ and net@ to Cc:. > It makes the IPv4/IPv6 dual stack rule definitely simpler that 'me' > matches to both IPv4 and IPv6. I think it is desired feature. > However, I'm not sure we actually need 'me4'. So, I split my previous > patch into two patches. The 1st patch makes 'me' matches to both IPv4 > and IPv6. The 2nd patch adds 'me4'. > If there is no objection, I'll commit the 1st patch. If someone want > 'me4', I'll commit the 2nd patch. We only need one 'me' option that matches v4 and v6, because the other two can be implemented as 'ip4 me' and 'ip6 me' at no extra cost (the code for 'me' only scans the list corresponding to the actual address family of the packet). I would actually vote for removing the 'me6' microinstruction from the kernel, and implement it in /sbin/ipfw by generating 'ip6 me'. Feel free to commit the change yourself. cheers luigi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100110185232.GA27907>