Date: Fri, 18 Dec 2009 09:12:48 -0500 From: David Horn <dhorn2000@gmail.com> To: Hajimu UMEMOTO <ume@freebsd.org> Cc: freebsd-ipfw@freebsd.org Subject: Re: Unified rc.firewall ipfw me/me6 issue Message-ID: <25ff90d60912180612y2b1f64fbw34b4d7f648762087@mail.gmail.com> In-Reply-To: <ygek4wmyp3j.wl%ume@mahoroba.org> References: <25ff90d60912162320y286e37a0ufeb64397716d8c18@mail.gmail.com> <ygek4wmyp3j.wl%ume@mahoroba.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 17, 2009 at 3:36 AM, Hajimu UMEMOTO <ume@freebsd.org> wrote:
> Hi,
>
> >>>>> On Thu, 17 Dec 2009 02:20:47 -0500
> >>>>> David Horn <dhorn2000@gmail.com> said:
>
> dhorn2000> Thanks for working on rc.firewall, as the old scenario of
> dualing
> dhorn2000> rc.firewall/rc.firewall6 was not easily used in the default
> configurations
> dhorn2000> when running dual stack. The new rc.firewall has some very
> decent sane
> dhorn2000> defaults. My testing so far as been concentrated on
> firewall_type="client",
> dhorn2000> dual stack v4/v6 with SLAAC for IPv6, and DHCP for IPv4. I will
> try some of
> dhorn2000> the IPv6 tunnel scenarios later.
>
> There is no rule to pass the IPv6 over IPv4 tunnel. You need to add
> it by yourself for now. I thought it may better having it for our
> default rule. However, I didn't come up with suitable default. So, I
> didn't add it.
>
> dhorn2000> I ran some tests against the now committed to -current
> /etc/rc.firewall, and
> dhorn2000> think have found an issue. In every line that has the "me"
> token without
> dhorn2000> the equivalent "me6" token, the command is only taking affect
> for ipv4.
>
> Yes, thank you for the report. It's my mistake. The default rule
> should have same behavior as possible between an IPv4 and an IPv6.
>
> dhorn2000> ${fwcmd} add pass udp from { me or me6 } to any 53 keep-state
>
> Your proposed patch is simple enough, thus I like it. However, we need
> to consider the environment where the kernel doesn't have an IPv6
> support. So, we cannot just use '{ me or me6 }', here.
> How about the attached patch, instead? Sorry, but I have no test
> environment for now. So, I don't test it by my self, yet. I'll test
> it later.
>
The updated patch works, but doing a check for [ $ipv6_available -eq 0 ]
might be more appropriate than checking "net6" or "inet6" variables in these
no INET6 cases since neither net6 or inet6 variables are involved in these
statements.
>
> dhorn2000> The same issue exists for several other entries as well.
> (possible diff
> dhorn2000> attached) The other option is to modify ipfw to actually have
> three
> dhorn2000> different "me" tokens (me/me4/me6) where the new "me" token
> would match both
> dhorn2000> ipv4 and ipv6 local interface addresses. Currently "me" matches
> only ipv4
> dhorn2000> addresses on my amd64 -current box.
>
> I think 'me' matches both an IPv4 and an IPv6 is better.
>
Yes, "me" matching either ipv4/ipv6 would certainly simplify the default
rc.firewall flow.
>
> dhorn2000> P.S., might also be nice to have an UPDATING entry for unified
> rc.firewall
>
> Yes, it should be. I'll add an UPDATING entry later.
>
> Sincerely,
>
>
>
> --
> Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan
> ume@mahoroba.org ume@{,jp.}FreeBSD.org
> http://www.imasy.org/~ume/ <http://www.imasy.org/%7Eume/>;
>
>
I am continuing to evaluate and may have some additional tweaks to other
areas in a few days.
--Thanks!
--Dave Horn
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?25ff90d60912180612y2b1f64fbw34b4d7f648762087>