Hi, On Thursday 29 April 2010 11:31:06 Andrew Byrne wrote: > > So I gave it a try now and it works well for me, will do some more ipv6 > > testing in the next days. I also ported several fixes from the trunk > > version of the uci firewall, added some compat code and hotplug events.
Thanks! I tried to keep the firewall as backwards compatible as possible, eg. I changed almost no chain names and tried not to modify the packet flow through the chains. Even though I really liked to do so because some of the (I guess historically grown) flow doesn't really make sense (and seemed to be buggy). I'd love to go for a v3 with a completely new chain design, just got to find my notes from last year :) But some breakage with custom scripts hacking the chains was unavoidable I guess so thats where people have to watch out. > > Attached are two patches, one against package/firewall from current > > trunk (for users who want to try it) and one against the latest rev from > > your git repository. Maybe you want to review it. Thanks, I'll do so when I've got a spare moment. > > If testing reveals no further issues, I'll replace the default firewall > > was your improved version. > > I have also created an IPv6 firewall package, based directly off > firewall. It's called firewall6. I wasn't sure if it would be better > to add IPv6 into the existing package, or have a completely separate > package. > > For consideration. > > http://nativev6.googlecode.com/svn/packages/firewall6/ I first went the same way you did but then came to the conclusion that this code duplication has two disadvantages: (a) Code duplication, has to be kept in sync and (b) it might (IMO) confuse the user if a (especially DENY) rule he set up in the firewall config isn't applied for firewall6 ie. IPv6. Or not really confused but annoyed once uses the hole in the firewall. That's why I went for the design described in the first RFC [3] and the later patch mail [1] which applies rules to both protocols if no protocol is specified. Cheers, Malte [3]http://thread.gmane.org/gmane.comp.embedded.openwrt.devel/3387 P.S.: I lied in my last mail, I indeed got bit of (positive) feedback on my very first mail and I'm thankful for that. -- _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
