From owner-freebsd-current@FreeBSD.ORG Wed Apr 11 13:50:11 2007 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D912316A406 for ; Wed, 11 Apr 2007 13:50:11 +0000 (UTC) (envelope-from ianf@clue.co.za) Received: from munchkin.clue.co.za (munchkin.clue.co.za [66.219.59.160]) by mx1.freebsd.org (Postfix) with ESMTP id A80EC13C4BB for ; Wed, 11 Apr 2007 13:50:11 +0000 (UTC) (envelope-from ianf@clue.co.za) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=20070313; d=clue.co.za; h=Received:Received:Received:To:Subject:From:X-Attribution:Date:Message-Id; b=Q+vkBmrmTgVXQPomKfSMmlzFMSjiil9VZv8zknmzYFrvRBdiMmrrqCnEDSpS+KV1MmfqtWcRkRDiQraaGqnm9vHrzJ95yBdwXnAjEMPW0ORF+rcUNRyNokYNm3c+WfmcKJhCL0WljF/e2Hz+hnCA15f4L6ylQiT6HfufYJiG2gcR8cYHi2f0+OOfNrYdwXGA0wqvicWYZZGTwp4cpi+I7oP/A1X8fMhlRrb/oEOoyKq7LrjxVViHdBQ2NoyH1Zql; Received: from uucp by munchkin.clue.co.za with local (Exim 4.66) (envelope-from ) id 1HbdD9-0007c0-B0 for freebsd-current@freebsd.org; Wed, 11 Apr 2007 13:50:11 +0000 Received: from cluetoy.clue.co.za ([10.0.0.19] helo=clue.co.za) by urchin.clue.co.za with esmtpa (Exim 4.66) (envelope-from ) id 1HbdCu-0004Bq-NW for freebsd-current@freebsd.org; Wed, 11 Apr 2007 13:49:56 +0000 Received: from localhost ([127.0.0.1]) by clue.co.za with esmtp (Exim 4.66 (FreeBSD)) (envelope-from ) id 1HbdCx-0000Lz-RN for freebsd-current@freebsd.org; Wed, 11 Apr 2007 15:49:59 +0200 To: FreeBSD Current From: Ian FREISLICH X-Attribution: BOFH Date: Wed, 11 Apr 2007 15:49:59 +0200 Message-Id: Subject: [patch] move ipfw logging to after syslogd X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Apr 2007 13:50:11 -0000 Hi We have a problem that on our busy firewalls, a boot and shutdown can be delayed by up to 20 minutes by the kernel printing log messages for denied packets to the console. The problem is that most kernel activity appears to be suspended by outputting ipfw logged messages via the serial console (but not even the video console keeps up). The kernel doesn't even respond to a serial break. Once syslogd starts it captures the log messages and the boot continues at its normal pace. I've a patch which moves the 'firewall_logging="YES"' processing to another script that depends on syslogd and is run on shutdown. If an rc guru can check that I've got the BEFORE condition right in the new script and then comit this fix I'd appreciate it. Ian -- Ian Freislich Index: rc.d/Makefile =================================================================== RCS file: /home/ncvs/src/etc/rc.d/Makefile,v retrieving revision 1.81 diff -u -d -r1.81 Makefile --- rc.d/Makefile 9 Apr 2007 19:21:27 -0000 1.81 +++ rc.d/Makefile 11 Apr 2007 12:43:56 -0000 @@ -16,7 +16,7 @@ hcsecd \ hostapd hostid hostname \ idmapd inetd initrandom \ - ip6addrctl ip6fw ipfilter ipfs ipfw ipmon \ + ip6addrctl ip6fw ipfilter ipfs ipfw ipfw_logging ipmon \ ipnat ipsec ipxrouted isdnd \ jail \ kadmind kerberos kernel keyserv kldxref kpasswdd \ Index: rc.d/ipfw =================================================================== RCS file: /home/ncvs/src/etc/rc.d/ipfw,v retrieving revision 1.15 diff -u -d -r1.15 ipfw --- rc.d/ipfw 2 Apr 2007 15:38:53 -0000 1.15 +++ rc.d/ipfw 11 Apr 2007 13:41:23 -0000 @@ -1,6 +1,6 @@ #!/bin/sh # -# $FreeBSD: src/etc/rc.d/ipfw,v 1.15 2007/04/02 15:38:53 mtm Exp $ +# $FreeBSD: src/etc/rc.d/ipfw,v 1.14 2006/12/31 10:37:18 yar Exp $ # # PROVIDE: ipfw @@ -22,11 +22,17 @@ # set the firewall rules script if none was specified [ -z "${firewall_script}" ] && firewall_script=/etc/rc.firewall + # Make sure that logging is disabled. On a firewall with + # a busy ethernet, the console messages are sufficient to + # delay the boot process for a long time if logging is enabled + # before syslogd. Logging is enabled elsewhere. + sysctl net.inet.ip.fw.verbose=0 >/dev/null + if [ -r "${firewall_script}" ]; then if [ -f /etc/rc.d/natd ] ; then /etc/rc.d/natd start fi - /bin/sh "${firewall_script}" + . "${firewall_script}" echo 'Firewall rules loaded.' elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then echo 'Warning: kernel has firewall functionality, but' \ @@ -34,13 +40,6 @@ echo ' All ip services are disabled.' fi - # Firewall logging - # - if checkyesno firewall_logging; then - echo 'Firewall logging enabled.' - sysctl net.inet.ip.fw.verbose=1 >/dev/null - fi - # Enable the firewall # ${SYSCTL_W} net.inet.ip.fw.enable=1 Index: rc.d/ipfw_logging =================================================================== RCS file: rc.d/ipfw_logging diff -N rc.d/ipfw_logging --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ rc.d/ipfw_logging 11 Apr 2007 13:41:23 -0000 @@ -0,0 +1,37 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# PROVIDE: ipfw_logging +# REQUIRE: syslogd +# BEFORE: NETWORKING +# KEYWORD: nojail shutdown + +. /etc/rc.subr +. /etc/network.subr + +name="ipfw_logging" +rcvar="firewall_enable" +start_cmd="ipfw_logging_start" +stop_cmd="ipfw_logging_stop" +required_modules="ipfw" + +ipfw_logging_start() +{ + if checkyesno firewall_logging; then + echo 'Firewall logging enabled.' + sysctl net.inet.ip.fw.verbose=1 >/dev/null + fi +} + +ipfw_logging_stop() +{ + if checkyesno firewall_logging; then + echo 'Firewall logging disabled.' + sysctl net.inet.ip.fw.verbose=0 >/dev/null + fi +} + +load_rc_config $name +run_rc_command "$1"