PSARC/2008/249 Packet interception for the MAC layer

[James Carlson]

Darren Reed writes:
> >Or if "family ether" is a good way to do this, why wouldn't we have
> >"family inet" and "family inet6" and get rid of /etc/ipf/ipf6.conf?
> >
> >What's the intended direction?
> >  
> >
> 
> 
> In PSARC/2005/201, which was IPv6 for IPFilter, the direction from
> PSARC was to move to a single configuration file for all of the filtering
> statements - thus /etc/ipf/ipf6.conf was introduced as an obsolete
> interface with the understanding that it would be subsumed in the
> future by /etc/ipf/ipf.conf.

Sure.  What's confusing me here is that we're not actually getting
that merge.  Instead, we're getting something new grafted onto
/etc/ipf/ipf.conf, while IPv6 remains an outpost in
/etc/ipf/ipf6.conf.

>  The background here is that the current
> use of Ipv6 filtering outside of Solaris uses a separate file.  Thus it
> seemed to not make any sense to introduce a new file that would also
> be obsolete at introduction - more importantly, there is no prior history
> in open source for a separate file.

OK ... so if I want to filter IPv6 packets using the new L2 mechanism,
do I put the IPv6 rules into /etc/ipf/ipf.conf alone or do the "family
ether" bits go into /etc/ipf/ipf.conf with the v6 "layer2"-tagged
rules in /etc/ipf/ipf6.conf?

(And, assuming you're not taking the other comments, do I then need
"ip6-head" and perhaps even "ip6-nat" as directives?)

-- 
James Carlson, Solaris Networking              <james.d.carlson at sun.com>
Sun Microsystems / 35 Network Drive        71.232W   Vox +1 781 442 2084
MS UBUR02-212 / Burlington MA 01803-2757   42.496N   Fax +1 781 442 1677