From owner-freebsd-net@FreeBSD.ORG Sat Dec 5 04:40:03 2009 Return-Path: Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 32399106566C for ; Sat, 5 Dec 2009 04:40:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 205C18FC08 for ; Sat, 5 Dec 2009 04:40:03 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id nB54e2gZ030972 for ; Sat, 5 Dec 2009 04:40:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id nB54e2DQ030970; Sat, 5 Dec 2009 04:40:02 GMT (envelope-from gnats) Date: Sat, 5 Dec 2009 04:40:02 GMT Message-Id: <200912050440.nB54e2DQ030970@freefall.freebsd.org> To: freebsd-net@FreeBSD.org From: Jason Loretz Cc: Subject: Re: kern/132554: [ipl] There is no ippool start script/ipfilter magic to load them X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Jason Loretz List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Dec 2009 04:40:03 -0000 The following reply was made to PR kern/132554; it has been noted by GNATS. From: Jason Loretz To: bug-followup@FreeBSD.org, axel@axel.truedestiny.net Cc: Subject: Re: kern/132554: [ipl] There is no ippool start script/ipfilter magic to load them Date: Fri, 4 Dec 2009 23:10:12 -0500 The ippools feature is quite useful and would be nice to have automatically start with the IPF startup script (as part of FreeBSD rather than a system administrator insert/tweek). The actual functionality already exists in the current 7.1 release and just needs hooks to properly startup and reload/flush configurations in sync with ipfilter. This functionality appears that it should reside in the ipfilter rc.d script since ippools will not work until "ipf -E" has been executed but also needs to be configure d previous to the "ipf -f" commands. Therefore I submit these diffs as a possible solution, which will provide the appropriate rc.conf options and modifications to rc.d/ipfilter to make it load and flush in the correct places during the ipf configuration. I took a stab, but needs work, at modifications to the firewall handbook page to include information on ippools. This no doubt will need some work if it can be included. Thanks, Jason --- rc.conf.diff begins here --- --- /usr/src/etc/defaults/rc.conf 2008-11-24 21:59:29.000000000 -0500 +++ /etc/defaults/rc.conf 2009-11-30 20:43:10.000000000 -0500 @@ -152,6 +152,12 @@ ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see # /usr/src/contrib/ipfilter/rules for examples ipfilter_flags="" # additional flags for ipfilter +ipfilter_ippool_enable="NO" # Set to YES to enable ippool functionality +ippool_program="/sbin/ippool" # where the ippool program lives +ippool_rules="/etc/ippool.conf" # rules definition file for ippool, see + # /usr/src/contrib/ipfilter/rules/pool.conf + # for example +ippool_flags="" # additional flags for ippool ipnat_enable="NO" # Set to YES to enable ipnat functionality ipnat_program="/sbin/ipnat" # where the ipnat program lives ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat --- rc.conf.diff ends here --- --- ipfilter.diff begins here --- --- /usr/src/etc/rc.d/ipfilter 2008-11-24 21:59:29.000000000 -0500 +++ /etc/rc.d/ipfilter 2009-12-01 09:19:43.000000000 -0500 @@ -33,6 +33,14 @@ if [ `sysctl -n net.inet.ipf.fr_running` -le 0 ]; then ${ipfilter_program:-/sbin/ipf} -E fi + if checkyesno ipfilter_ippool_enable; then + if [ -r "${ippool_rules}" ]; then + echo "Loading ippool rules." + ${ippool_program:-/sbin/ippool} \ + -f "${ippool_rules}" ${ippool_flags} + fi + fi + echo "Loading ipfilter rules." ${ipfilter_program:-/sbin/ipf} -Fa if [ -r "${ipfilter_rules}" ]; then ${ipfilter_program:-/sbin/ipf} \ @@ -58,8 +66,16 @@ ipfilter_reload() { - echo "Reloading ipfilter rules." + if checkyesno ipfilter_ippool_enable; then + if [ -r "${ippool_rules}" ]; then + echo "Reloading ippool rules." + ${ippool_program:-/sbin/ippool} -F + ${ippool_program:-/sbin/ippool} \ + -f "${ippool_rules}" ${ippool_flags} + fi + fi + echo "Reloading ipfilter rules." ${ipfilter_program:-/sbin/ipf} -I -Fa if [ -r "${ipfilter_rules}" ]; then ${ipfilter_program:-/sbin/ipf} -I \ --- ipfilter.diff ends here --- --- chapter.sgml.diff begins here --- --- /usr/doc/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml 2009-11-27 12:11:33.000000000 -0500 +++ /tmp/chapter.sgml 2009-12-04 20:19:23.000000000 -0500 @@ -653,6 +653,16 @@ # v = log tcp window, ack, seq # n = map IP & port to names + If the use of ippools is desired, the following lines need to be + added to enable the ippool functionality: + + ipfilter_ippool_enable="NO" # Set to YES to enable ippool functionality +ippool_program="/sbin/ippool" # where the ippool program lives +ippool_rules="/etc/ippool.conf" # rules definition file for ippool, see + # /usr/src/contrib/ipfilter/rules/pool.conf + # for example +ippool_flags="" # additional flags for ippool + If there is a LAN behind this firewall that uses the reserved private IP address ranges, the following lines will have to be added to enable NAT @@ -701,6 +711,26 @@ + IPPOOL + + ippool + + The &man.ippool.8; command is used to load your ippool + configuration file. The following commands can be used to flush + the loaded pools from the kernel and then load a pool configuration + from a file: + + &prompt.root; ippool -F + &prompt.root; ippool -f /etc/ippool.conf + + See the &man.ippool.8; manual page for details on the other + flags available with this command. + + The &man.ippool.8; command expects the configuration file to be a + standard text file. + + + IPFSTAT ipfstat --- chapter.sgml.diff ends here ---