Split $ipv6_prefer into $ip6addrctl_policy and $ipv6_activate_all_interfaces.

The $ip6addrctl_policy is a variable to choose a pre-defined address selection policy set by ip6addrctl(8). The keyword "ipv4_prefer" sets IPv4-preferred one described in Section 10.3, the keyword "ipv6_prefer" sets IPv6-preferred one in Section 2.1 in RFC 3484, respectively. When "AUTO" is specified, it attempts to read /etc/ip6addrctl.conf first. If it is found, it reads and installs it as a policy table. If not, either of the two pre-defined policy tables is chosen automatically according to $ipv6_activate_all_interfaces. When $ipv6_activate_all_interfaces=NO, interfaces which have no corresponding $ifconfig_IF_ipv6 is marked as IFDISABLED for security reason. The default values are ip6addrctl_policy=AUTO and ipv6_activate_all_interfaces=NO. Discussed with: ume and bz
2010-09-13 19:55:40 +00:00 · 2010-09-13 19:55:40 +00:00 · ab8bbcbaf3
commit ab8bbcbaf3
parent 462966ddac
6 changed files with 128 additions and 38 deletions
--- a/19
+++ b/19
@ -22,6 +22,25 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 9.x IS SLOW:
 	machines to maximize performance.  (To disable malloc debugging, run
 	ln -s aj /etc/malloc.conf.)

+20100913:
+	The $ipv6_prefer variable in rc.conf(5) has been split into
+	$ip6addrctl_policy and $ipv6_activate_all_interfaces.
+
+	The $ip6addrctl_policy is a variable to choose a pre-defined
+	address selection policy set by ip6addrctl(8).  A value
+	"ipv4_prefer", "ipv6_prefer" or "AUTO" can be specified.  The
+	default is "AUTO".
+
+	The $ipv6_activate_all_interfaces specifies whether IFDISABLED
+	flag (see an entry of 20090926) is set on an interface with no
+	corresponding $ifconfig_IF_ipv6 line.  The default is "NO" for
+	security reason.  If you want IPv6 link-local address on all
+	interfaces by default, set this to "YES".
+
+	The old ipv6_prefer="YES" is equivalent to
+	ipv6_activate_all_interfaces="YES" and
+	ip6addrctl_policy="ipv6_prefer".
+
 20100913:
 	DTrace has grown support for userland tracing. Due to this, DTrace is
 	now i386 and amd64 only.
--- a/etc/defaults/rc.conf
+++ b/etc/defaults/rc.conf
@ -446,6 +446,10 @@ icmp_bmcastecho="NO"	# respond to broadcast ping packets
 ### IPv6 options: ###
 ipv6_network_interfaces="auto"	# List of IPv6 network interfaces
 				# (or "auto" or "none").
+ipv6_activate_all_interfaces="NO"	# If NO, interfaces which have no
+					# corresponding $ifconfig_IF_ipv6 is
+					# marked as IFDISABLED for security
+					# reason.
 ipv6_defaultrouter="NO"		# Set to IPv6 default gateway (or NO).
 #ipv6_defaultrouter="2002:c058:6301::"	# Use this for 6to4 (RFC 3068)
 ipv6_static_routes=""		# Set to static route list (or leave empty).
@ -506,7 +510,8 @@ ipv6_ipfilter_rules="/etc/ipf6.rules"	# rules definition file for ipfilter,
 					# for examples
 ip6addrctl_enable="YES"	# Set to YES to enable default address selection
 ip6addrctl_verbose="NO"	# Set to YES to enable verbose configuration messages
-ipv6_prefer="NO"	# Use IPv6 when both IPv4 and IPv6 can be used
+ip6addrctl_policy="AUTO"	# A pre-defined address selection policy
+				# (ipv4_prefer, ipv6_prefer, or AUTO)

 ##############################################################
 ###  System console options  #################################
--- a/etc/network.subr
+++ b/etc/network.subr
@ -100,7 +100,7 @@ ifconfig_up()
 				_ipv6_opts="-accept_rtadv"
 			fi
 		else
-			if checkyesno ipv6_prefer; then
+			if checkyesno ipv6_activate_all_interfaces; then
 				_ipv6_opts="-ifdisabled"
 			else
 				_ipv6_opts="ifdisabled"
--- a/etc/rc.d/ip6addrctl
+++ b/etc/rc.d/ip6addrctl
@ -19,8 +19,10 @@ extra_commands="status prefer_ipv6 prefer_ipv4"
 status_cmd="ip6addrctl"
 prefer_ipv6_cmd="ip6addrctl_prefer_ipv6"
 prefer_ipv4_cmd="ip6addrctl_prefer_ipv4"
+config_file="/etc/ip6addrctl.conf"

-set_rcvar_obsolete ipv6_enable ipv6_prefer
+set_rcvar_obsolete ipv6_enable ipv6_activate_all_interfaces
+set_rcvar_obsolete ipv6_prefer ip6addrctl_policy

 ip6addrctl_prefer_ipv6()
 {
@ -53,17 +55,40 @@ ip6addrctl_start()
 	afexists inet6 || return 0

 	# install the policy of the address selection algorithm.
-	if [ -f /etc/ip6addrctl.conf ]; then
-		ip6addrctl flush >/dev/null 2>&1
-		ip6addrctl install /etc/ip6addrctl.conf
-		checkyesno ip6addrctl_verbose && ip6addrctl
-	else
-		if checkyesno ipv6_prefer; then
-			ip6addrctl_prefer_ipv6
+	case "${ip6addrctl_policy}" in
+	[Aa][Uu][Tt][Oo])
+		if [ -r "${config_file}" -a -s "${config_file}" ]; then
+			ip6addrctl flush >/dev/null 2>&1
+			ip6addrctl install "${config_file}"
+			checkyesno ip6addrctl_verbose && ip6addrctl
 		else
-			ip6addrctl_prefer_ipv4
+			if checkyesno ipv6_activate_all_interfaces; then
+				ip6addrctl_prefer_ipv6
+			else
+				ip6addrctl_prefer_ipv4
+			fi
 		fi
-	fi
+	;;
+	ipv4_prefer)
+		ip6addrctl_prefer_ipv4
+	;;
+	ipv6_prefer)
+		ip6addrctl_prefer_ipv6
+	;;
+	[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]|[Oo][Nn]|1)
+		# Backward compatibility when ipv6_prefer=YES
+		ip6addrctl_prefer_ipv6
+	;;
+	[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|[Oo][Ff][Ff]|0)
+		# Backward compatibility when ipv6_prefer=NO
+		ip6addrctl_prefer_ipv4
+	;;
+	*)
+		warn "\$ip6addrctl_policy is invalid: ${ip6addrctl_policy}. " \
+		    " \"ipv4_prefer\" is used instead."
+		ip6addrctl_prefer_ipv4
+	;;
+	esac
 }

 ip6addrctl_stop()
--- a/etc/rc.d/netif
+++ b/etc/rc.d/netif
@ -41,7 +41,8 @@ clonedown_cmd="clone_down"
 extra_commands="cloneup clonedown"
 cmdifn=

-set_rcvar_obsolete ipv6_enable ipv6_prefer
+set_rcvar_obsolete ipv6_enable ipv6_activate_all_interfaces
+set_rcvar_obsolete ipv6_prefer

 network_start()
 {
--- a/share/man/man5/rc.conf.5
+++ b/share/man/man5/rc.conf.5
@ -1269,41 +1269,49 @@ If the variable is
 is added to all of
 .Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6
 and the
-.Va ipv6_prefer
+.Va ipv6_activate_all_interfaces
 is defined as
 .Dq Li YES .
 .Pp
 This variable is deprecated.  Use
-.Va ipv6_prefer
+.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6
 and
-.Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 .
+.Va ipv6_activate_all_interfaces
+if necessary.
 .It Va ipv6_prefer
 .Pq Vt bool
-This variable does the following:
-.Pp
 If the variable is
 .Dq Li YES ,
-the default policy of the source address selection set by
+the default address selection policy table set by
 .Xr ip6addrctl 8
 will be IPv6-preferred.
 .Pp
 If the variable is
 .Dq Li NO ,
-the default policy of the source address selection set by
+the default address selection policy table set by
 .Xr ip6addrctl 8
-will be IPv4-preferred, and all of interfaces which does not have the
-corrsponding
+will be IPv4-preferred.
+.Pp
+This variable is deprecated.  Use
+.Va ip6addtctl_policy
+instead.
+.It Va ipv6_activate_all_interfaces
+If the variable is
+.Dq Li NO ,
+all of interfaces which do not have the corrsponding
 .Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6
 variable will be marked as
-.Dq Li IFDISABLED .
-This means only IPv6 functionality on that interface is completely
-disabled.  For more details of
+.Dq Li IFDISABLED
+for security reason.  This means only IPv6 functionality on that interface
+is completely disabled.  For more details of
 .Dq Li IFDISABLED
 flag and keywords
 .Dq Li inet6 ifdisabled ,
 see
 .Xr ifconfig 8 .
 .Pp
+Default is
+.Dq Li NO .
 .It Va ipv6_privacy
 .Pq Vt bool
 If the variable is
@ -1316,6 +1324,8 @@ This is the IPv6 equivalent of
 .Va network_interfaces .
 Normally manual configuration of this variable is not needed.
 .Pp
+.It Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6
+.Pq Vt str
 IPv6 functionality on an interface should be configured by
 .Va ifconfig_ Ns Ao Ar interface Ac Ns _ipv6 ,
 instead of setting ifconfig parameters in
@ -1354,22 +1364,52 @@ this is the default output interface for scoped addresses.
 This works only with ipv6_gateway_enable="NO".
 .It Va ip6addrctl_enable
 .Pq Vt bool
-If set to
-.Dq Li YES ,
-install default address selection policy table
+This variable is to enable configuring default address selection policy table
 .Pq RFC 3484 .
-If a file
-.Pa /etc/ip6addrctl.conf
-is found the
+The table can be specified in another variable
+.Va ip6addrctl_policy .
+For
+.Va ip6addrctl_policy
+the following keywords can be specified:
+.Dq Li ipv4_prefer ,
+.Dq Li ipv6_prefer ,
+or
+.Dq Li AUTO .
+.Pp
+If
+.Dq Li ipv4_prefer
+or
+.Dq Li ipv6_prefer
+is specified,
 .Xr ip6addrctl 8
-reads and installs it.
-If not, a pre-defined policy table will be installed.
-There are two pre-defined ones; IPv4-preferred and IPv6-preferred.
-If set
-.Va ipv6_prefer
-variable to
+installs a pre-defined policy table described in Section 2.1
+.Pq IPv6-preferred
+or 10.3
+.Pq IPv4-preferred
+of RFC 3484.
+.Pp
+If
+.Dq Li AUTO
+is specified, it attempts to read a file
+.Pa /etc/ip6addrctl.conf
+first.  If this file is found,
+.Xr ip6addrctl 8
+reads and installs it.  If not found, a policy is automatically set
+according to
+.Va ipv6_activate_all_interfaces
+variable; if the variable is set to
 .Dq Li YES
-the IPv6-preferred one is used. Default is IPv4-preferred.
+the IPv6-preferred one is used.  Otherwise IPv4-preferred.
+.Pp
+The default value of
+.Va ip6addrctl_enable
+and
+.Va ip6addrctl_policy
+are
+.Dq Li YES
+and
+.Dq Li AUTO ,
+respectively.
 .It Va cloned_interfaces
 .Pq Vt str
 Set to the list of clonable network interfaces to create on this host.