Re: netbsd-7 ipfilter failure?

[Robert Swindells <rjs%fdy2.co.uk@localhost>]

Greg Troxel wrote:
>Alan Barrett <apb%cequrux.com@localhost> writes:
>
>> I can't find any documentation for the /etc/ipf6.conf file, so I don't
>> know what the intended semantics of /etc/ipf6.conf are. ("man
>> ipf6.conf" simply displays the ipf.conf man page, which does not
>> explain the ipf6.conf file.)  The implementation in /etc/rc.d/ipfilter
>> loads the ipf6.conf file with ipf(8) commands that use the "-6"
>> command line option, which is documented as "This option is required
>> to parse IPv6 rules and to have them loaded."
>>
>> The "-6" option is not documented to imply that any rules in the file
>> are IPv6-only, so I think it's wrong to assume that rules in
>> /etc/ip6.conf are IPv6 firewall rules; they are simply firewall rules
>> that might or might not apply to IPv6, and you should further qualify
>> the rules with "family" clauses that match the desired address family,
>> or "from" or "to" clauses that imply an address family.
>
>My impression has always been that ipf6.conf is loaded with -6 and
>contains only IPv6 rules, and that ipf.conf is loaded without -6 and
>contains only IPv4 rules.  I have not found this confusing or
>troublesome.  On some systems I have fairly different v4 and v6 rules,
>and they have worked as expected (from a 2-table separate-world POV).
>
>Is there actually only one ruleset?   Are rules loaded with -6 actually
>evaluated for IPv4 packets?

There is only one ruleset and should be only one rule file, see this
email from Darren Reed:

<http://mail-index.netbsd.org/tech-net/2012/10/28/msg003697.html>

Robert Swindells