Alan Barrett <apb%cequrux.com@localhost> writes: > On Wed, 29 Oct 2014, Greg Troxel wrote: >> My impression has always been that ipf6.conf is loaded with -6 and >> contains only IPv6 rules, and that ipf.conf is loaded without -6 and >> contains only IPv4 rules. I have not found this confusing or >> troublesome. > > I find it problematic that there is no documentation for ip6.conf, and > very little documentation for ipf(8)'s "-6" option. Most of our > differences seem to come down to your experience being at odds with my > reading of what little documentation exists. I have no experience > using IPv6 with ipf. I did not mean to argue that the current situation is ok; I was just trying to bring up whether we had a functionality issue vs a doc issue. I just saw Robert's pointer to Darren's note about the ruleset unification (which seems like a good idea, really). I realized that the systems I'm talking about are a mix of -5 and -6, which is 4.1.29 and 4.1.34. So this combined ruleset behavior isn't happening for me, which is why my 2 files, 2 proto families world is ok. So probably the fixes are: Document ipf's -6 flag (as loading a ruleset with implicit "family inet6", and that this is deprecated. add an ipf6.conf man page, and say that it's deprecated and that rules should be merged into ipf.conf, and "see also ipf -6". have /etc/rc.d/ipfilter warn if ipf6.conf exists
Attachment:
pgpBwfgwVVAfG.pgp
Description: PGP signature