Date: Tue, 19 Jun 2007 00:30:12 GMT From: Sean McNeil <sean@mcneil.com> To: freebsd-ipfw@FreeBSD.org Subject: Re: conf/78762: [ipfw] [patch] /etc/rc.d/ipfw should excecute $firewall_script not read it Message-ID: <200706190030.l5J0UCOs082451@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR conf/78762; it has been noted by GNATS. From: Sean McNeil <sean@mcneil.com> To: bug-followup@FreeBSD.org, jonw@whoweb.com Cc: Subject: Re: conf/78762: [ipfw] [patch] /etc/rc.d/ipfw should excecute $firewall_script not read it Date: Mon, 18 Jun 2007 17:05:45 -0700 This is a bad idea and has broken the new feature of rcNG allowing us to place options into /etc/rc.conf.d/ipfw and /etc/rc.conf.d/ip6fw. The commit to src/etc/rc.d/ipfw revision 1.15 and src/etc/rc.d/ip6fw 1.9 have now broken this basic concept. IMHO, the correct thing is: Don't use exit in your firewall script. I offer 3 solutions, however, below. What has been broken: /etc/rc.conf.d/ipfw firewall_enable="YES" firewall_type="/etc/fw/rc.firewall.rules" /etc/rc.conf.d/ip6fw ipv6_firewall_enable="YES" ipv6_firewall_type="/etc/fw/rc.firewall6.rules" Now, this no longer works and I must once again pollute and move more stuff back into /etc/rc.conf. Namely, firewall_type="/etc/fw/rc.firewall.rules" ipv6_firewall_type="/etc/fw/rc.firewall6.rules" must now be in /etc/rc.conf or /etc/rc.conf.local. Solution: 1) revert to sourcing the rc.firewall script. 2) Fix rc.firewall and rc.firewall6 to somehow get stuff from /etc/rc.conf.d as it should (as ipfw and ip6fw?). 3) completely remove rc.conf.d support as more things fail to work with it.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200706190030.l5J0UCOs082451>