Re: [Shorewall-devel] Shorewall and IPV6

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Tom:
>a) Should the IPV4 and IPV6 configurations be in the same directory 

Yes.

If you really want to give people flexibility (always good to duck
the issue), define a "IPV6_DIR" variable that has an initial value of
"." and tell people to put their IPV6 files under that directory.
They could define the variable to be "ipv6" and thus all their v6
files would be under /etc/shorewall/ipv6, or they could define it as
"/etc/foo", in which case all their v6 files would be under /etc/foo";
but, the default would be "." (under /etc/shorewall).

Tom:
>c) If I can resolve parsing and other issues, should I always attempt to
>have a single file rather than two (I think so)?

Yes.

Paul said:
>My general approach to any future IPv6 upgrade is that i see IPv6 as a
>different addressing scheme, but it shouldn't make my network work much
>differently.  I'll still have the same zones and the same rules between
>them, just different addresses in them.  Therefore, i think IPv6 should
>be supported in as similar a manner as possible to IPv4.  Thus i think
>it we should use the same zones, with the same policies and rules, in
>the same files, as far as practical.

I agree with that.  If people need special rules for V4 or V6, we have
two choices:

  1) Use separate files.
     pro: easy to parse
     con: harder to edit (rules spread among files)

  2) Use a prefix on the lines in the current file, e.g. stick
     "V4" or "V6" in front of lines that don't apply to both protocols.
     pro: harder to parse, a bit ugly to look at
     con: easier to maintain (all rules in one file)

I'm liking the prefix concept, with a transition phase where shorewall
"assumes" (with a warning) a V4 prefix in front of things that don't
apply to V6.  After a few releases, remove the assumption and change
the warning to an error, requiring people to use the correct prefixes.

Tom:
>b) Should there be a single POLICY for traffic between each ordered pair
>of zones or should there be separate IPV4 and IPV6 policies?

Start with one policy file.  Use prefixes if people need to split it up.

Tom:
>So you think it is okay for users to have to move all of their DNAT and
>REDIRECT rules from 'rules' to 'rules.ipv4' as part of the upgrade
>(given that there is no NAT support for IPV6)?

No, shorewall should have a transitional phase where it warns people about
things that don't apply to V4 or V6.  (See my comment on prefixes, above.)

-- 
-IAN!  Ian! D. Allen   Ottawa, Ontario, Canada
       EMail: id...@id...   WWW: http://www.idallen.com/
       College professor (Linux) via: http://teaching.idallen.com/
       Support free and open public digital rights:  http://eff.org/