Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 11 Mar 2009 19:16:26 +0100 (CET)
From:      axel@axel.truedestiny.net
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   kern/132554: There is no ippool start script/ipfilter magic to load them
Message-ID:  <200903111816.n2BIGQfb023609@taliesin.thuis.net>
Resent-Message-ID: <200903111820.n2BIK0V4027129@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         132554
>Category:       kern
>Synopsis:       There is no ippool start script/ipfilter magic to load them
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Mar 11 18:20:00 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     
>Release:        FreeBSD 7.1-RELEASE-p3 i386
>Organization:
Private home user
>Environment:
System: FreeBSD taliesin.thuis.net 7.1-RELEASE-p3 FreeBSD 7.1-RELEASE-p3 #1: Tue Feb 17 14:34:30 CET 2009 axel@awen.thuis.net:/usr/obj/usr/src/sys/TALIESIN i386
>Description:
When using IPFilter there is a way to store ip pools, sort of like pf tables, 
in a configuration file (/etc/ippool.conf) which you can use in your ruleset.
See manpages for ippool for details.

These pools should be loaded before the ruleset but there is no /etc/rc.d/ippool
or magic in /etc/rc.d/ipfilter to do so, I've created this small quick 'n dirty
diff for /etc/rc.d/ipfilter, I don't know if it's better to include a seperate
startup script since these pools are kind of static, you can't edit them on the
fly without having to reload ipfilter anyway. :(

--- ipfilter.orig       2009-03-11 16:31:53.000000000 +0100
+++ ipfilter    2009-03-11 16:34:51.000000000 +0100
@@ -33,6 +33,11 @@
        if [ `sysctl -n net.inet.ipf.fr_running` -le 0 ]; then
                ${ipfilter_program:-/sbin/ipf} -E
        fi
+        # load ippools if needed
+        if [ -f /etc/ippool.conf ]; then 
+            /sbin/ippool -F
+            /sbin/ippool -f /etc/ippool.conf
+        fi
        ${ipfilter_program:-/sbin/ipf} -Fa
        if [ -r "${ipfilter_rules}" ]; then
                ${ipfilter_program:-/sbin/ipf} \


>How-To-Repeat:
create an ip pool in /etc/ippool.conf, use it in your ipfilter rules and see
they're not loaded.

>Fix:
Either fiddle in the magic in /etc/rc.d/ipfilter or provide an /etc/rc.d/ippool

>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200903111816.n2BIGQfb023609>