From owner-freebsd-bugs@FreeBSD.ORG Wed Jan 14 18:30:02 2009 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 59EF31065678 for ; Wed, 14 Jan 2009 18:30:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 357F98FC19 for ; Wed, 14 Jan 2009 18:30:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n0EIU2SW010366 for ; Wed, 14 Jan 2009 18:30:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n0EIU2Sr010363; Wed, 14 Jan 2009 18:30:02 GMT (envelope-from gnats) Resent-Date: Wed, 14 Jan 2009 18:30:02 GMT Resent-Message-Id: <200901141830.n0EIU2Sr010363@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, "G. Paul Ziemba" Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6F8611065760 for ; Wed, 14 Jan 2009 18:24:14 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id 5CB0E8FC1D for ; Wed, 14 Jan 2009 18:24:14 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.3/8.14.3) with ESMTP id n0EIOEjr042574 for ; Wed, 14 Jan 2009 18:24:14 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.3/8.14.3/Submit) id n0EIODPj042564; Wed, 14 Jan 2009 18:24:13 GMT (envelope-from nobody) Message-Id: <200901141824.n0EIODPj042564@www.freebsd.org> Date: Wed, 14 Jan 2009 18:24:13 GMT From: "G. Paul Ziemba" To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: conf/130555: [patch] No good way to set ipfilter variables at boot time X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Jan 2009 18:30:02 -0000 >Number: 130555 >Category: conf >Synopsis: [patch] No good way to set ipfilter variables at boot time >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Jan 14 18:30:01 UTC 2009 >Closed-Date: >Last-Modified: >Originator: G. Paul Ziemba >Release: 7.1-PRERELEASE >Organization: >Environment: FreeBSD foo 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #0: Tue Nov 11 23:08:18 PST 2008 root@foo:/usr/obj/usr/src/sys/GPZ i386 >Description: ipfilter has a number of tunable variables (run "ipf -T list" to see the list). Although many (all?) of these are made available via sysctl, it is not possible to configure them in the context of the current /etc/rc.conf or /etc/sysctl.conf arrangements due to the following constraints/interactions: 1. Some of the tunables can be set only if ipfilter is disabled. 2. The current /etc/rc.d/ipfilter startup script enables ipfilter and causes it to load the filter rules before doing anything about ipfilter_flags, which might theoretically be set to "-D -T -E". 3. You could try ipfilter_flags="-D -T -E -f ${ipfilter_rules}" to reload the rules. However, ipfilter_flags are also used for the reload and resync commands of the startup script (i.e., later on), so you run into... 4. disabling ipfilter not only flushes existing configured filter rules, it also flushes any configured NAT rules (loaded independently via /etc/rc.d/ipnat). 5. /etc/sysctl.conf is processed after /etc/rc.d/ipfilter runs, so ipfilter tunables set in sysctl.conf fail due to ipfilter being enabled. 6. Oh, and they can't be set in /boot/loader.conf either Here is a fix that allows variables to be specified in /etc/rc.conf so they will be set early in the /etc/rc.d/ipfilter script >How-To-Repeat: >Fix: Patch attached Patch attached with submission follows: diff -ruN etc.orig/defaults/rc.conf etc.new/defaults/rc.conf --- etc.orig/defaults/rc.conf 2008-11-12 08:27:20.000000000 -0800 +++ etc.new/defaults/rc.conf 2009-01-14 09:46:23.000000000 -0800 @@ -152,6 +152,7 @@ ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see # /usr/src/contrib/ipfilter/rules for examples ipfilter_flags="" # additional flags for ipfilter +ipfilter_variables="" # for -T, see ipf(8) ipnat_enable="NO" # Set to YES to enable ipnat functionality ipnat_program="/sbin/ipnat" # where the ipnat program lives ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat diff -ruN etc.orig/rc.d/ipfilter etc.new/rc.d/ipfilter --- etc.orig/rc.d/ipfilter 2008-01-27 23:55:44.000000000 -0800 +++ etc.new/rc.d/ipfilter 2009-01-14 09:43:34.000000000 -0800 @@ -30,6 +30,14 @@ ipfilter_start() { echo "Enabling ipfilter." + if [ ! -z "${ipfilter_variables}" ]; then + # Can set ipfilter variables only when it is disabled, + # which flushes filter and nat rules + if [ `sysctl -n net.inet.ipf.fr_running` -gt 0 ]; then + ${ipfilter_program:-/sbin/ipf} -D + fi + ${ipfilter_program:-/sbin/ipf} -T "${ipfilter_variables}" + fi if [ `sysctl -n net.inet.ipf.fr_running` -le 0 ]; then ${ipfilter_program:-/sbin/ipf} -E fi >Release-Note: >Audit-Trail: >Unformatted: