From owner-freebsd-bugs Sun Apr 1 14:20: 6 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 0FECE37B71B for ; Sun, 1 Apr 2001 14:20:02 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f31LK2P32743; Sun, 1 Apr 2001 14:20:02 -0700 (PDT) (envelope-from gnats) Received: from zhukov.chaotical.ly (zhukov.chaotical.ly [208.11.244.15]) by hub.freebsd.org (Postfix) with ESMTP id A1ED537B71B for ; Sun, 1 Apr 2001 14:12:11 -0700 (PDT) (envelope-from helix@zhukov.chaotical.ly) Received: by zhukov.chaotical.ly (Postfix, from userid 5001) id 208831936E; Sun, 1 Apr 2001 17:12:12 -0400 (EDT) Message-Id: <20010401211212.208831936E@zhukov.chaotical.ly> Date: Sun, 1 Apr 2001 17:12:12 -0400 (EDT) From: thomas+freebsd@stromberg.org To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 Subject: conf/26275: IPFilter doesn't load module if ipfilter_enable is in rc.conf Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 26275 >Category: conf >Synopsis: ipfilter_enable in rc.conf does not load kld >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Apr 01 14:20:01 PDT 2001 >Closed-Date: >Last-Modified: >Originator: Thomas Stromberg >Release: FreeBSD 5.0-CURRENT i386 >Organization: Research Triangle Commerce, Inc. (ICC.net) >Environment: System: FreeBSD zhukov.chaotical.ly 5.0-CURRENT FreeBSD 5.0-CURRENT #3: Mon Mar 26 17:13:07 EST 2001 helix@zhukov.chaotical.ly:/usr/obj/usr/src/sys/GEORGI i386 FreeBSD grouper.aquarium.rtci.com 4.3-BETA FreeBSD 4.3-BETA #1: Thu Mar 15 18:09:40 EST 2001 tstromberg@grouper.aquarium.rtci.com:/usr/obj/usr/src/sys/GROUPER i386 FreeBSD localhost 4.3-RC FreeBSD 4.3-RC #0: Thu Mar 29 22:51:39 CEST 2001 root@localhost:/usr/obj/usr/src/sys/GENERIC i386 FreeBSD crackwhore.slush.ca 4.3-RC FreeBSD 4.3-RC #0: Sun Apr 1 14:34:52 MDT 2001 root@moo.powersurfr.com:/usr/src/sys/compile/booger2 i386 >Description: ipfilter_enable and ipnat_enable in rc.conf is next to useless, because: 1) ipfilter_enable will only work if it's built into the kernel. Unlike ipfw, it will not test to see if it's loaded, and load it's kernel module. This definitely breaks 'principle of least suprise'. 2) ipnat_enable will only work if /etc/ipf.rules exists. This assumption does not work very well for people who are just setting up a basic NAT, and don't need to (yet) set up any firewalling. This is definitely a big support problem on the IRC channels. The patch included fixes both of these problems. I'd love to see this committed for 4.3-RELEASE, to save on all the confusion we have in #FreeBSDhelp. >How-To-Repeat: set ipfilter_enable="YES" in /etc/rc.conf. Reboot. Run kldstat, you will see that the ipl module is not loaded. Even if you do have it in your kernel, ipnat will not enable without ipf.rules. >Fix: This patch applies cleanly to 4.3-RC, and 5.0-CURRENT --- /usr/src/etc/rc.network Tue Mar 20 17:52:05 2001 +++ rc.network Sun Apr 1 16:15:04 2001 @@ -62,10 +62,30 @@ # case "${ipfilter_enable}" in [Yy][Ee][Ss]) - if [ -r "${ipfilter_rules}" ]; then - echo -n ' ipfilter'; - ${ipfilter_program:-/sbin/ipf -Fa -f} \ - "${ipfilter_rules}" ${ipfilter_flags} + # Some hackery to get just the bare program name. + ipfilter_binary=`echo ${ipfilter_program} | cut -d" " -f1` + + if ${ipfilter_binary} -Z > /dev/null 2>&1; then + ipf_loaded=1 + else + if kldload ipl > /dev/null; then + ipf_loaded=1 + echo 'IPFilter module loaded' + else + echo 'Warning: IPFilter kernel module failed to load' + fi + fi + + if [ ${ipf_loaded} ]; then + if [ -r "${ipfilter_rules}" ]; then + echo -n ' ipfilter'; + ${ipfilter_program:-/sbin/ipf -Fa -f} \ + "${ipfilter_rules}" ${ipfilter_flags} + else + ipfilter_enable="NO" + echo -n ' NO IPF RULES' + fi + case "${ipmon_enable}" in [Yy][Ee][Ss]) echo -n ' ipmon' @@ -83,9 +103,6 @@ fi ;; esac - else - ipfilter_enable="NO" - echo -n ' NO IPF RULES' fi ;; esac >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message