Committing one ipfw(8) userland patch
Rodney W. Grimes
freebsd-rwg at gndrsh.dnsmgr.net
Tue Apr 7 23:34:05 UTC 2020
> > -----Original Message-----
> > From: owner-freebsd-hackers at freebsd.org <owner-freebsd-
> > hackers at freebsd.org> On Behalf Of Rodney W. Grimes
> > Sent: dinsdag 7 april 2020 19:35
> > To: lev at freebsd.org
> > Cc: freebsd-hackers at freebsd.org; Andrey V. Elsukov <bu7cher at yandex.ru>;
> > Neel Chauhan <neel at neelc.org>
> > Subject: Re: Committing one ipfw(8) userland patch
> >
> > > On 07.04.2020 11:28, Andrey V. Elsukov wrote:
> > >
> > > >> I have one patch for the ipfw userland tool:
> > > >> https://reviews.freebsd.org/D24234
> > > >>
> > > >> This patch adds the src-ip4/dst-ip4 and src-ipv4/dst-ipv4 aliases
> > > >> for src-ip/dst-ip commands respectively in IPFW.
> > > >>
> > > >> Could someone please commit this patch?
> > > >
> > > > Can you describe what is the benefit to have all these aliases, when
> > > > after adding the rule you will still see other name. I think this
> > > > makes it more confusing.
> > > I think, {src|dst}-ip without version should exist only for backward
> > > compatibility and, maybe, produce warnings.
> >
> > But that is not what this review does. I would be in support of changing
> the
> > "official" names to src-ip4/dst-ip4/src-ip6/dst-ip6 and making
> src-ip/dst-ip a
> > backwards compatible alias.
> >
> > >
> > > Why? symmetry & consistency. And equal length of fields in rules for
> > > different versions, too :-)
> > >
> > > Also, there are confusion with me/me4/me6. When `src-ip` is really
> > > `src-ip4`, what does `me` mean? `me4`? or `me4 OR me6`?
> >
> > The parts of the rule are not cross applied so this is a non-question,
> > me4 with a src-ip6 matches 0 packets no mater what the values are.
>
> Currently only me and me6 are implemented, given your comment above does
> that mean that "me" should only match IPv4 packets?
No
Your review adds me4 as an explicit match on ipv4 address only, which is what was agreed to in the review.
"me" should continue to match v4 or v6 packets.
I would expect a me with a src-ip4 modifier to be the "and" of them,
and something silly like me4 with a src-ip6 to be the empty set.
> If that was the intend, it is not what I'm observing with my ruleset that
> uses "me" as destination keyword. IPv6 works fine with it.
> You can find my IPFW ruleset in the review
> https://reviews.freebsd.org/D24021.
>
> >
> > One could write syntax checkers to flag this NOP condition.
> >
> > > --
> > > // Lev Serebryakov
> > --
> > Rod Grimes
> rgrimes at freebsd.org
> > _______________________________________________
> > freebsd-hackers at freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
>
>
--
Rod Grimes rgrimes at freebsd.org
More information about the freebsd-hackers
mailing list