From SRS0=3326df41966a19df5160a2dfd9c84c74262dddf6=683=es.net=oberman@es.net  Sat Apr 26 19:43:09 2008
Return-Path: <SRS0=3326df41966a19df5160a2dfd9c84c74262dddf6=683=es.net=oberman@es.net>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9EC971065680
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 26 Apr 2008 19:43:09 +0000 (UTC)
	(envelope-from SRS0=3326df41966a19df5160a2dfd9c84c74262dddf6=683=es.net=oberman@es.net)
Received: from postal1.es.net (postal3.es.net [IPv6:2001:400:14:3::8])
	by mx1.freebsd.org (Postfix) with ESMTP id 21E258FC2D
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 26 Apr 2008 19:43:09 +0000 (UTC)
	(envelope-from SRS0=3326df41966a19df5160a2dfd9c84c74262dddf6=683=es.net=oberman@es.net)
Received: from slan.es.net (c-76-103-85-82.hsd1.ca.comcast.net [76.103.85.82])
        by postal3.es.net (Postal Node 3) with ASMTP (SSL) id GXR30308
        for <FreeBSD-gnats-submit@freebsd.org>; Sat, 26 Apr 2008 12:43:0Received: by slan.es.net (Postfix, from userid 9381)
	id 5279E5CA8; Sat, 26 Apr 2008 12:43:07 -0700 (PDT)
Message-Id: <20080426194307.5279E5CA8@slan.es.net>
Date: Sat, 26 Apr 2008 12:43:07 -0700 (PDT)
From: Kevin@es.net, "Oberman <oberman.net"@es.net
Reply-To: Kevin Oberman <oberman@es.net>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: rc script for ipfw does not handle IPv6
X-Send-Pr-Version: 3.113
X-GNATS-Notify: freebsd-rc@FreeBSD.org.

>Number:         123119
>Category:       conf
>Synopsis:       [patch] rc script for ipfw does not handle IPv6
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-rc
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Apr 26 19:50:01 UTC 2008
>Closed-Date:    Fri Mar 15 23:34:51 UTC 2013
>Last-Modified:  Fri Mar 15 23:34:51 UTC 2013
>Originator:     Kevin Oberman
>Release:        FreeBSD 7.0-STABLE i386
>Organization:
ESnet--The Energy Sciences Network
>Environment:
System: FreeBSD slan.es.net 7.0-STABLE FreeBSD 7.0-STABLE #0: Fri Apr 25 11:32:19 PDT 2008 root@slan.es.net:/usr/obj/usr/src/sys/IBM-T43 i386


	
>Description:
	/etc/rc.d/ipfw only sets and clears the sysctl to enable or disable
       IPv4. A check for ipv6_eanble and the IPv6 sysctl need to be added.
>How-To-Repeat:
       On a system running IPv6 and IPv4, stop IPFW. It only stops for IPv4
>Fix:
There might be better ways to check on IPv6, but this was the obvious one.

# diff -u ipfw.orig ipfw
--- ipfw.orig	2008-04-26 12:34:16.000000000 -0700
+++ ipfw	2008-04-25 15:39:41.000000000 -0700
@@ -44,6 +44,9 @@
 	# Enable the firewall
 	#
 	${SYSCTL_W} net.inet.ip.fw.enable=1
+	if checkyesno ipv6_enable; then
+		sysctl net.inet6.ip6.fw.enable=1 >/dev/null
+	fi
 }
 
 ipfw_stop()
@@ -51,6 +54,10 @@
 	# Disable the firewall
 	#
 	${SYSCTL_W} net.inet.ip.fw.enable=0
+	if checkyesno ipv6_enable; then
+		sysctl net.inet6.ip6.fw.enable=0
+	fi
+
 	if [ -f /etc/rc.d/natd ] ; then
 		/etc/rc.d/natd stop
 	fi
@@ -58,4 +65,3 @@
 
 load_rc_config $name
 run_rc_command "$1"

	


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sun Apr 27 05:22:38 UTC 2008 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=123119 
State-Changed-From-To: open->feedback 
State-Changed-By: gavin 
State-Changed-When: Sun Apr 27 11:35:43 UTC 2008 
State-Changed-Why:  
To submitter: as far as I can tell, starting and stopping the IPv6 
firewall is correctly handled in /etc/rc.d/ip6fw.  Is there a reason 
why you believe this is broken? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=123119 
State-Changed-From-To: feedback->open 
State-Changed-By: gavin 
State-Changed-When: Mon Apr 28 12:11:36 UTC 2008 
State-Changed-Why:  
Response received from submitter: 

 -------- Forwarded Message -------- 
 From: Kevin Oberman <oberman@es.net> 
 Cc: freebsd-rc@FreeBSD.org, freebsd-ipfw@FreeBSD.org 
 Date: Sun, 27 Apr 2008 14:40:02 -0700 
 
 > To submitter: as far as I can tell, starting and stopping the IPv6 
 > firewall is correctly handled in /etc/rc.d/ip6fw.  Is there a reason 
 > why you believe this is broken? 
 
 ip6fw was added to the system back with V5.0 days (not fun days for 
 FreeBSD) when ipfw was two separate modules, one for IPv4 and another 
 for IPv6. makonnen wrote the required script for the IPv6 module back in 
 2002 and it has lived on with mostly small fixes to deal with changes in 
 the startup scripts. 
 
 Back in 2006, ipfw was re-worked to make it dual stack and it now is a 
 single module with a single management CLI, ipfw(8) and rules for IPv4 
 and IPv6 can all be included in a single configuration file. 
 
 It really makes no sense to have two very similar startup scripts, one 
 with a fairly non-intuitive name, for a single function. It continues 
 the approach that IPv6 is to be treated as something separate and not an 
 integrated part of the OS and I see no real purpose served by the 
 separation.  
 
 Now that I have looked at ip6fw, I can see that the fix I recommended is 
 not adequate, although it will prevent the problem I ran into when I 
 thought I was stopping all of ipfw, only to find that I was still 
 blocked from the system (except via the console). 
 
 In my spare time (translate that to "it may take a while"), I'll look at 
 a merge of the two rc scripts so that those with separate configuration 
 files won't find things broken. (I suspect that there are not too many 
 of those, but their firewalls really need to be preserved.) It looks 
 simple on the surface, but I suspect there are a few corner cases that 
 might be a bit tricky. 
 
 I may even be able to come up with a solution to NDP (the IPv6 
 replacement for ARP) being blocked if the system is booted with the
 normal "block by default" configuration.

http://www.freebsd.org/cgi/query-pr.cgi?pr=123119 
Responsible-Changed-From-To: freebsd-ipfw->freebsd-rc 
Responsible-Changed-By: ae 
Responsible-Changed-When: Tue Jun 28 05:21:43 UTC 2011 
Responsible-Changed-Why:  
Reassign to freebsd-rc@. 

This functionality is already present in head/ and stable/8. 
But stable/7 does not support some needed features in rc.subr 
and in the kernel to merge this support. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=123119 
State-Changed-From-To: open->patched 
State-Changed-By: crees 
State-Changed-When: Wed Oct 31 19:11:46 UTC 2012 
State-Changed-Why:  
Fixed in all supported versions except 7.X 

http://www.freebsd.org/cgi/query-pr.cgi?pr=123119 
State-Changed-From-To: patched->closed 
State-Changed-By: eadler 
State-Changed-When: Fri Mar 15 23:34:50 UTC 2013 
State-Changed-Why:  
MFCed/fixed by now or it will never be MFCed 

http://www.freebsd.org/cgi/query-pr.cgi?pr=123119 
>Unformatted:
