Date: Wed, 14 Jan 2009 18:24:13 GMT From: "G. Paul Ziemba" <p-fbsd-bugs@ziemba.us> To: freebsd-gnats-submit@FreeBSD.org Subject: conf/130555: [patch] No good way to set ipfilter variables at boot time Message-ID: <200901141824.n0EIODPj042564@www.freebsd.org> Resent-Message-ID: <200901141830.n0EIU2Sr010363@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 130555
>Category: conf
>Synopsis: [patch] No good way to set ipfilter variables at boot time
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Wed Jan 14 18:30:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: G. Paul Ziemba
>Release: 7.1-PRERELEASE
>Organization:
>Environment:
FreeBSD foo 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #0: Tue Nov 11 23:08:18 PST 2008 root@foo:/usr/obj/usr/src/sys/GPZ i386
>Description:
ipfilter has a number of tunable variables (run "ipf -T list" to see the list). Although many (all?) of these are made available via sysctl, it is not possible to configure them in the context of the current /etc/rc.conf or /etc/sysctl.conf arrangements due to the following constraints/interactions:
1. Some of the tunables can be set only if ipfilter is disabled.
2. The current /etc/rc.d/ipfilter startup script enables ipfilter and
causes it to load the filter rules before doing anything about
ipfilter_flags, which might theoretically be set to "-D -T <foo> -E".
3. You could try ipfilter_flags="-D -T <foo> -E -f ${ipfilter_rules}" to
reload the rules. However, ipfilter_flags are also used for the reload
and resync commands of the startup script (i.e., later on), so you
run into...
4. disabling ipfilter not only flushes existing configured filter rules, it
also flushes any configured NAT rules (loaded independently via
/etc/rc.d/ipnat).
5. /etc/sysctl.conf is processed after /etc/rc.d/ipfilter runs, so ipfilter
tunables set in sysctl.conf fail due to ipfilter being enabled.
6. Oh, and they can't be set in /boot/loader.conf either
Here is a fix that allows variables to be specified in /etc/rc.conf so they will be set early in the /etc/rc.d/ipfilter script
>How-To-Repeat:
>Fix:
Patch attached
Patch attached with submission follows:
diff -ruN etc.orig/defaults/rc.conf etc.new/defaults/rc.conf
--- etc.orig/defaults/rc.conf 2008-11-12 08:27:20.000000000 -0800
+++ etc.new/defaults/rc.conf 2009-01-14 09:46:23.000000000 -0800
@@ -152,6 +152,7 @@
ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see
# /usr/src/contrib/ipfilter/rules for examples
ipfilter_flags="" # additional flags for ipfilter
+ipfilter_variables="" # <optionlist> for -T, see ipf(8)
ipnat_enable="NO" # Set to YES to enable ipnat functionality
ipnat_program="/sbin/ipnat" # where the ipnat program lives
ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat
diff -ruN etc.orig/rc.d/ipfilter etc.new/rc.d/ipfilter
--- etc.orig/rc.d/ipfilter 2008-01-27 23:55:44.000000000 -0800
+++ etc.new/rc.d/ipfilter 2009-01-14 09:43:34.000000000 -0800
@@ -30,6 +30,14 @@
ipfilter_start()
{
echo "Enabling ipfilter."
+ if [ ! -z "${ipfilter_variables}" ]; then
+ # Can set ipfilter variables only when it is disabled,
+ # which flushes filter and nat rules
+ if [ `sysctl -n net.inet.ipf.fr_running` -gt 0 ]; then
+ ${ipfilter_program:-/sbin/ipf} -D
+ fi
+ ${ipfilter_program:-/sbin/ipf} -T "${ipfilter_variables}"
+ fi
if [ `sysctl -n net.inet.ipf.fr_running` -le 0 ]; then
${ipfilter_program:-/sbin/ipf} -E
fi
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200901141824.n0EIODPj042564>