Greg Troxel wrote: >Alan Barrett <[email protected]> writes: > >> I can't find any documentation for the /etc/ipf6.conf file, so I don't >> know what the intended semantics of /etc/ipf6.conf are. ("man >> ipf6.conf" simply displays the ipf.conf man page, which does not >> explain the ipf6.conf file.) The implementation in /etc/rc.d/ipfilter >> loads the ipf6.conf file with ipf(8) commands that use the "-6" >> command line option, which is documented as "This option is required >> to parse IPv6 rules and to have them loaded." >> >> The "-6" option is not documented to imply that any rules in the file >> are IPv6-only, so I think it's wrong to assume that rules in >> /etc/ip6.conf are IPv6 firewall rules; they are simply firewall rules >> that might or might not apply to IPv6, and you should further qualify >> the rules with "family" clauses that match the desired address family, >> or "from" or "to" clauses that imply an address family. > >My impression has always been that ipf6.conf is loaded with -6 and >contains only IPv6 rules, and that ipf.conf is loaded without -6 and >contains only IPv4 rules. I have not found this confusing or >troublesome. On some systems I have fairly different v4 and v6 rules, >and they have worked as expected (from a 2-table separate-world POV). > >Is there actually only one ruleset? Are rules loaded with -6 actually >evaluated for IPv4 packets?
There is only one ruleset and should be only one rule file, see this email from Darren Reed: <http://mail-index.netbsd.org/tech-net/2012/10/28/msg003697.html> Robert Swindells
