When ipfilter is enabled in rc.conf, it loads firewall rules for IP4. To load rules for IPV6, it's necessary to use ipf -6 <whatever>. Thus to use ipfilter on ipv6 enabled computer, hack to rc.network is necessary, to load also rules for ipv6 otherwise if kernel option IPFILTER_DEFAULT_BLOCK is used, ipv6 trafic if blocked by default... Fix: Add ipfilter6_rules to rc.conf, giving it rules files for ipv6. Add ipfilter test to rc.network6 and load rules if desired.
How do these patches look? Could you give them a try? Index: etc/rc.network6 =================================================================== RCS file: /export/freebsd/ncvs/src/etc/rc.network6,v retrieving revision 1.28 diff -u -r1.28 rc.network6 --- etc/rc.network6 15 Dec 2001 03:59:47 -0000 1.28 +++ etc/rc.network6 25 Feb 2002 23:51:08 -0000 @@ -68,6 +68,43 @@ network6_pass1() { echo -n 'Doing IPv6 network setup:' + # Establish ipfilter ruleset as early as possible (best in + # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file) + + # check whether ipfilter for IPv6 + ipfilter_active="NO" + case ${ipfilter6_enable} in + [Yy][Ee][Ss]) + ipfilter_active="YES" + ;; + esac + case ${ipfilter_active} in + [Yy][Ee][Ss]) + # load ipfilter kernel module if needed + if ! sysctl net.inet.ipf.fr_pass > /dev/null 2>&1; then + if kldload ipl; then + echo 'IP-filter module loaded.' + else + echo 'Warning: IP-filter module failed to load.' + # avoid further errors + ipfilter6_enable="NO" + fi + fi + case "${ipfilter6_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipfilter6_flags}" ]; then + echo -n ' ipfilter-IPv6' + ${ipfilter_program:-/sbin/ipf} -6 -Fa -f \ + "${ipfilter6_rules}" ${ipfilter6_flags} + else + ipfilter6_enable="NO" + echo -n ' NO IPF RULES' + fi + ;; + esac + ;; + esac + # Initialize IP filtering using ip6fw # if /sbin/ip6fw -q flush > /dev/null 2>&1; then Index: etc/defaults/rc.conf =================================================================== RCS file: /export/freebsd/ncvs/src/etc/defaults/rc.conf,v retrieving revision 1.139 diff -u -r1.139 rc.conf --- etc/defaults/rc.conf 20 Feb 2002 10:30:56 -0000 1.139 +++ etc/defaults/rc.conf 25 Feb 2002 23:52:12 -0000 @@ -67,6 +67,9 @@ ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see # /usr/src/contrib/ipfilter/rules for examples ipfilter_flags="" # additional flags for ipfilter +ipfilter6_enable="NO" # Set to YES to enable IPv6 ipfilter +ipfilter6_rules="/etc/ipf6.rules" # rules definition file for IPv6 ipfilter +ipfilter6_flags="" # additional flags for IPv6 ipfilter ipnat_enable="NO" # Set to YES to enable ipnat functionality ipnat_program="/sbin/ipnat" # where the ipnat program lives ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org
On Tue, Feb 26, 2002 at 03:20:02AM -0800, Crist J. Clark wrote: > + case "${ipfilter6_enable}" in > + [Yy][Ee][Ss]) > + if [ -r "${ipfilter6_flags}" ]; then > + echo -n ' ipfilter-IPv6' > + ${ipfilter_program:-/sbin/ipf} -6 -Fa -f \ I think you should check for ipfilter_active as well, because ipf -6 -Fa flushes ipv4 rules too. If ipfilter_active is true, then maybe only ipf -6 -f? Jeremy
On Fri, Mar 01, 2002 at 09:08:46AM -0600, Jeremy Norris wrote: > On Tue, Feb 26, 2002 at 03:20:02AM -0800, Crist J. Clark wrote: > > + case "${ipfilter6_enable}" in > > + [Yy][Ee][Ss]) > > + if [ -r "${ipfilter6_flags}" ]; then > > + echo -n ' ipfilter-IPv6' > > + ${ipfilter_program:-/sbin/ipf} -6 -Fa -f \ > > I think you should check for ipfilter_active as well, because ipf -6 -Fa > flushes ipv4 rules too. If ipfilter_active is true, then maybe only ipf -6 -f? The problem with that is ipfilter_active would not be available at this point. It is local to the network_pass1() function in rc.network. It is possible to make it global, but very kludgey, passing data between the scripts in that way. In my scripts, I've just dropped the flush completely. It doesn't really seem all that necessary to me. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org
On Fri, Mar 01, 2002 at 08:37:05AM -0800, Crist J. Clark wrote: > The problem with that is ipfilter_active would not be available at > this point. It is local to the network_pass1() function in > rc.network. It is possible to make it global, but very kludgey, > passing data between the scripts in that way. In my scripts, I've just > dropped the flush completely. It doesn't really seem all that > necessary to me. Except it will flush all your ipv4 rules, leaving you with either all ipv4 passed in and out or all blocked in and out if you compiled with IPFILTER_DEFAULT_BLOCK. Jeremy
On Fri, Mar 01, 2002 at 11:19:18AM -0600, Jeremy Norris wrote: > On Fri, Mar 01, 2002 at 08:37:05AM -0800, Crist J. Clark wrote: > > The problem with that is ipfilter_active would not be available at > > this point. It is local to the network_pass1() function in > > rc.network. It is possible to make it global, but very kludgey, > > passing data between the scripts in that way. In my scripts, I've just > > dropped the flush completely. It doesn't really seem all that > > necessary to me. > > Except it will flush all your ipv4 rules, leaving you with either all ipv4 > passed in and out or all blocked in and out if you compiled with > IPFILTER_DEFAULT_BLOCK. Huh? I said "I've dropped the flush completely." -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org
On Fri, Mar 01, 2002 at 08:37:05AM -0800, Crist J. Clark wrote: > The problem with that is ipfilter_active would not be available at > this point. It is local to the network_pass1() function in > rc.network. It is possible to make it global, but very kludgey, > passing data between the scripts in that way. In my scripts, I've just > dropped the flush completely. It doesn't really seem all that > necessary to me. Crist, This pr + the patch you posted seem to have fallen through the cracks. Could you consider committing it to -current without the flush? It would be nice to get it into 4.7. Nick
State Changed From-To: open->closed I had lost to see your PR. Sorry. I've committed supporting IPv6 setup for ipfilter into 5-CURRENT, but another way. Having setup in rc.network6 breaks consistency with IPv4 setup of ipfilter. So, I added it into rc.network. I'll do MFC after 1 week. In anyway, thank you for your request.
Responsible Changed From-To: freebsd-bugs->ume I had lost to see your PR. Sorry. I've committed supporting IPv6 setup for ipfilter into 5-CURRENT, but another way. Having setup in rc.network6 breaks consistency with IPv4 setup of ipfilter. So, I added it into rc.network. I'll do MFC after 1 week. In anyway, thank you for your request.