From nobody@FreeBSD.org  Thu Feb 21 03:32:24 2002
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id D04B137B400
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 21 Feb 2002 03:32:23 -0800 (PST)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g1LBWN570853;
	Thu, 21 Feb 2002 03:32:23 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200202211132.g1LBWN570853@freefall.freebsd.org>
Date: Thu, 21 Feb 2002 03:32:23 -0800 (PST)
From: Vlado <vlado@pc042.otanner9.kas.tut.fi>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ipfilter for IPV6 not availlable in rc.*
X-Send-Pr-Version: www-1.0

>Number:         35178
>Category:       conf
>Synopsis:       ipfilter for IPV6 not availlable in rc.*
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    ume
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Feb 21 03:40:01 PST 2002
>Closed-Date:    Mon Nov 04 09:24:54 PST 2002
>Last-Modified:  Mon Nov 04 09:24:54 PST 2002
>Originator:     Vlado
>Release:        STABLE
>Organization:
>Environment:
FreeBSD pc042.otanner9.kas.tut.fi 4.5-STABLE FreeBSD 4.5-STABLE #0: Mon Feb 18 13:57:17 EET 2002     vlado@pc042.otanner9.kas.tut.fi:/usr/obj/usr/src/sys/Ifrit  i386
>Description:
      When ipfilter is enabled in rc.conf, it loads firewall rules for
IP4. To load rules for IPV6, it's necessary to use ipf -6 <whatever>. Thus to use ipfilter on ipv6 enabled computer, hack to rc.network is necessary, to load also rules for ipv6 otherwise if kernel option IPFILTER_DEFAULT_BLOCK is used, ipv6 trafic if blocked by default...

>How-To-Repeat:
      
>Fix:
      Add ipfilter6_rules to rc.conf, giving it rules files for ipv6.
Add ipfilter test to rc.network6 and load rules if desired.
>Release-Note:
>Audit-Trail:

From: "Crist J. Clark" <cjc@FreeBSD.ORG>
To: Vlado <vlado@pc042.otanner9.kas.tut.fi>
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: conf/35178: ipfilter for IPV6 not availlable in rc.*
Date: Tue, 26 Feb 2002 03:13:32 -0800

 How do these patches look? Could you give them a try?
 
 Index: etc/rc.network6
 ===================================================================
 RCS file: /export/freebsd/ncvs/src/etc/rc.network6,v
 retrieving revision 1.28
 diff -u -r1.28 rc.network6
 --- etc/rc.network6	15 Dec 2001 03:59:47 -0000	1.28
 +++ etc/rc.network6	25 Feb 2002 23:51:08 -0000
 @@ -68,6 +68,43 @@
  network6_pass1() {
  	echo -n 'Doing IPv6 network setup:'
  
 +	# Establish ipfilter ruleset as early as possible (best in
 +	# addition to IPFILTER_DEFAULT_BLOCK in the kernel config file)
 +
 +	# check whether ipfilter for IPv6
 +	ipfilter_active="NO"
 +	case ${ipfilter6_enable} in
 +	[Yy][Ee][Ss])
 +		ipfilter_active="YES"
 +		;;
 +	esac
 +	case ${ipfilter_active} in
 +	[Yy][Ee][Ss])
 +		# load ipfilter kernel module if needed
 +		if ! sysctl net.inet.ipf.fr_pass > /dev/null 2>&1; then
 +			if kldload ipl; then
 +				echo 'IP-filter module loaded.'
 +			else
 +				echo 'Warning: IP-filter module failed to load.'
 +				# avoid further errors
 +				ipfilter6_enable="NO"
 +			fi
 +		fi
 +		case "${ipfilter6_enable}" in
 +		[Yy][Ee][Ss])
 +			if [ -r "${ipfilter6_flags}" ]; then
 +				echo -n ' ipfilter-IPv6'
 +				${ipfilter_program:-/sbin/ipf} -6 -Fa -f \
 +					"${ipfilter6_rules}" ${ipfilter6_flags}
 +			else
 +				ipfilter6_enable="NO"
 +				echo -n ' NO IPF RULES'
 +			fi
 +			;;
 +		esac
 +		;;
 +	esac
 +
  	# Initialize IP filtering using ip6fw
  	#
  	if /sbin/ip6fw -q flush > /dev/null 2>&1; then
 Index: etc/defaults/rc.conf
 ===================================================================
 RCS file: /export/freebsd/ncvs/src/etc/defaults/rc.conf,v
 retrieving revision 1.139
 diff -u -r1.139 rc.conf
 --- etc/defaults/rc.conf	20 Feb 2002 10:30:56 -0000	1.139
 +++ etc/defaults/rc.conf	25 Feb 2002 23:52:12 -0000
 @@ -67,6 +67,9 @@
  ipfilter_rules="/etc/ipf.rules"	# rules definition file for ipfilter, see
  				# /usr/src/contrib/ipfilter/rules for examples
  ipfilter_flags=""		# additional flags for ipfilter
 +ipfilter6_enable="NO"		# Set to YES to enable IPv6 ipfilter
 +ipfilter6_rules="/etc/ipf6.rules" # rules definition file for IPv6 ipfilter
 +ipfilter6_flags=""		# additional flags for IPv6 ipfilter
  ipnat_enable="NO"		# Set to YES to enable ipnat functionality
  ipnat_program="/sbin/ipnat"	# where the ipnat program lives
  ipnat_rules="/etc/ipnat.rules"	# rules definition file for ipnat
 
 -- 
 Crist J. Clark                     |     cjclark@alum.mit.edu
                                    |     cjclark@jhu.edu
 http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

From: Jeremy Norris <ishmael27x@yahoo.com>
To: "Crist J. Clark" <cjc@freebsd.org>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: conf/35178: ipfilter for IPV6 not availlable in rc.*
Date: Fri, 1 Mar 2002 09:08:46 -0600

 On Tue, Feb 26, 2002 at 03:20:02AM -0800, Crist J. Clark wrote:
 >  +		case "${ipfilter6_enable}" in
 >  +		[Yy][Ee][Ss])
 >  +			if [ -r "${ipfilter6_flags}" ]; then
 >  +				echo -n ' ipfilter-IPv6'
 >  +				${ipfilter_program:-/sbin/ipf} -6 -Fa -f \
 
 I think you should check for ipfilter_active as well, because ipf -6 -Fa
 flushes ipv4 rules too. If ipfilter_active is true, then maybe only ipf -6 -f?
 
 Jeremy

From: "Crist J. Clark" <crist.clark@attbi.com>
To: Jeremy Norris <ishmael27x@yahoo.com>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: conf/35178: ipfilter for IPV6 not availlable in rc.*
Date: Fri, 1 Mar 2002 08:37:05 -0800

 On Fri, Mar 01, 2002 at 09:08:46AM -0600, Jeremy Norris wrote:
 > On Tue, Feb 26, 2002 at 03:20:02AM -0800, Crist J. Clark wrote:
 > >  +		case "${ipfilter6_enable}" in
 > >  +		[Yy][Ee][Ss])
 > >  +			if [ -r "${ipfilter6_flags}" ]; then
 > >  +				echo -n ' ipfilter-IPv6'
 > >  +				${ipfilter_program:-/sbin/ipf} -6 -Fa -f \
 > 
 > I think you should check for ipfilter_active as well, because ipf -6 -Fa
 > flushes ipv4 rules too. If ipfilter_active is true, then maybe only ipf -6 -f?
 
 The problem with that is ipfilter_active would not be available at
 this point. It is local to the network_pass1() function in
 rc.network. It is possible to make it global, but very kludgey,
 passing data between the scripts in that way. In my scripts, I've just
 dropped the flush completely. It doesn't really seem all that
 necessary to me.
 -- 
 Crist J. Clark                     |     cjclark@alum.mit.edu
                                    |     cjclark@jhu.edu
 http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

From: Jeremy Norris <ishmael27x@yahoo.com>
To: cjclark@alum.mit.edu
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: conf/35178: ipfilter for IPV6 not availlable in rc.*
Date: Fri, 1 Mar 2002 11:19:18 -0600

 On Fri, Mar 01, 2002 at 08:37:05AM -0800, Crist J. Clark wrote:
 > The problem with that is ipfilter_active would not be available at
 > this point. It is local to the network_pass1() function in
 > rc.network. It is possible to make it global, but very kludgey,
 > passing data between the scripts in that way. In my scripts, I've just
 > dropped the flush completely. It doesn't really seem all that
 > necessary to me.
 
 Except it will flush all your ipv4 rules, leaving you with either all ipv4
 passed in and out or all blocked in and out if you compiled with
 IPFILTER_DEFAULT_BLOCK.
 
 Jeremy

From: "Crist J. Clark" <crist.clark@attbi.com>
To: Jeremy Norris <ishmael27x@yahoo.com>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: conf/35178: ipfilter for IPV6 not availlable in rc.*
Date: Fri, 1 Mar 2002 09:59:30 -0800

 On Fri, Mar 01, 2002 at 11:19:18AM -0600, Jeremy Norris wrote:
 > On Fri, Mar 01, 2002 at 08:37:05AM -0800, Crist J. Clark wrote:
 > > The problem with that is ipfilter_active would not be available at
 > > this point. It is local to the network_pass1() function in
 > > rc.network. It is possible to make it global, but very kludgey,
 > > passing data between the scripts in that way. In my scripts, I've just
 > > dropped the flush completely. It doesn't really seem all that
 > > necessary to me.
 > 
 > Except it will flush all your ipv4 rules, leaving you with either all ipv4
 > passed in and out or all blocked in and out if you compiled with
 > IPFILTER_DEFAULT_BLOCK.
 
 Huh? I said "I've dropped the flush completely."
 -- 
 Crist J. Clark                     |     cjclark@alum.mit.edu
                                    |     cjclark@jhu.edu
 http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

From: Nick Hilliard <nick-list@netability.ie>
To: freebsd-gnats-submit@FreeBSD.org
Cc: crist.clark@attbi.com
Subject: Re: conf/35178: ipfilter for IPV6 not availlable in rc.*
Date: 19 Aug 2002 11:05:46 +0100

 On Fri, Mar 01, 2002 at 08:37:05AM -0800, Crist J. Clark wrote:
 > The problem with that is ipfilter_active would not be available at
 > this point. It is local to the network_pass1() function in
 > rc.network. It is possible to make it global, but very kludgey,
 > passing data between the scripts in that way. In my scripts, I've just
 > dropped the flush completely. It doesn't really seem all that
 > necessary to me.
 
 Crist,
 
 This pr + the patch you posted seem to have fallen through the cracks. 
 Could you consider committing it to -current without the flush?  It
 would be nice to get it into 4.7.
 
 Nick
 
 
State-Changed-From-To: open->closed 
State-Changed-By: ume 
State-Changed-When: Mon Nov 4 09:15:53 PST 2002 
State-Changed-Why:  
I had lost to see your PR.  Sorry. 
I've committed supporting IPv6 setup for ipfilter into 5-CURRENT, 
but another way.  Having setup in rc.network6 breaks consistency 
with IPv4 setup of ipfilter.  So, I added it into rc.network. 
I'll do MFC after 1 week. 
In anyway, thank you for your request. 


Responsible-Changed-From-To: freebsd-bugs->ume 
Responsible-Changed-By: ume 
Responsible-Changed-When: Mon Nov 4 09:15:53 PST 2002 
Responsible-Changed-Why:  
I had lost to see your PR.  Sorry. 
I've committed supporting IPv6 setup for ipfilter into 5-CURRENT, 
but another way.  Having setup in rc.network6 breaks consistency 
with IPv4 setup of ipfilter.  So, I added it into rc.network. 
I'll do MFC after 1 week. 
In anyway, thank you for your request. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=35178 
>Unformatted:
