From owner-svn-src-head@FreeBSD.ORG Fri Jun 26 08:43:27 2009 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 657FA106564A; Fri, 26 Jun 2009 08:43:27 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id 240278FC18; Fri, 26 Jun 2009 08:43:27 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by cyrus.watson.org (Postfix) with ESMTPS id CDA3B46B1A; Fri, 26 Jun 2009 04:43:26 -0400 (EDT) Date: Fri, 26 Jun 2009 09:43:26 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Doug Barton In-Reply-To: <200906260104.n5Q14pRu070043@svn.freebsd.org> Message-ID: References: <200906260104.n5Q14pRu070043@svn.freebsd.org> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org Subject: Re: svn commit: r195026 - head/etc/rc.d X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Jun 2009 08:43:27 -0000 On Fri, 26 Jun 2009, Doug Barton wrote: > Reverse the effect of r193198 for pf and ipfw which will once again > allow them to start after netif. There were too many problems reported > with this change in the short period of time that it lived in HEAD, and > we are too late in the release cycle to properly shake it out. > > IMO the issue of having the firewalls up before the network is still a > valid concern, particularly for pf whose default state is wide open. > However properly solving this issue is going to take some investment > on the part of the people who actually use those tools. This sounds right to me, FWIW -- being able to fully configure the policy before network traffic starts is definitely right in the abstract, it's just a question of getting there... Robert N M Watson Computer Laboratory University of Cambridge > > This is not a strict reversion of all the changes for r193198 since it > also included some simplification of the BEFORE/REQUIRE logic which is > still valid for ipfilter and ip6fw. > > Modified: > head/etc/rc.d/NETWORKING > head/etc/rc.d/ipfw > head/etc/rc.d/netif > head/etc/rc.d/pf > head/etc/rc.d/pflog > head/etc/rc.d/pfsync > > Modified: head/etc/rc.d/NETWORKING > ============================================================================== > --- head/etc/rc.d/NETWORKING Fri Jun 26 01:01:50 2009 (r195025) > +++ head/etc/rc.d/NETWORKING Fri Jun 26 01:04:50 2009 (r195026) > @@ -4,7 +4,7 @@ > # > > # PROVIDE: NETWORKING NETWORK > -# REQUIRE: netif netoptions routing network_ipv6 ppp > +# REQUIRE: netif netoptions routing network_ipv6 ppp ipfw > # REQUIRE: defaultroute routed mrouted route6d mroute6d resolv > > # This is a dummy dependency, for services which require networking > > Modified: head/etc/rc.d/ipfw > ============================================================================== > --- head/etc/rc.d/ipfw Fri Jun 26 01:01:50 2009 (r195025) > +++ head/etc/rc.d/ipfw Fri Jun 26 01:04:50 2009 (r195026) > @@ -4,7 +4,7 @@ > # > > # PROVIDE: ipfw > -# REQUIRE: FILESYSTEMS > +# REQUIRE: ppp > # KEYWORD: nojail > > . /etc/rc.subr > > Modified: head/etc/rc.d/netif > ============================================================================== > --- head/etc/rc.d/netif Fri Jun 26 01:01:50 2009 (r195025) > +++ head/etc/rc.d/netif Fri Jun 26 01:04:50 2009 (r195026) > @@ -27,7 +27,7 @@ > > # PROVIDE: netif > # REQUIRE: atm1 cleanvar FILESYSTEMS serial sppp sysctl > -# REQUIRE: ipfilter ipfs pf ipfw > +# REQUIRE: ipfilter ipfs > # KEYWORD: nojail > > . /etc/rc.subr > > Modified: head/etc/rc.d/pf > ============================================================================== > --- head/etc/rc.d/pf Fri Jun 26 01:01:50 2009 (r195025) > +++ head/etc/rc.d/pf Fri Jun 26 01:04:50 2009 (r195026) > @@ -4,7 +4,7 @@ > # > > # PROVIDE: pf > -# REQUIRE: FILESYSTEMS pflog pfsync > +# REQUIRE: FILESYSTEMS netif pflog pfsync > # BEFORE: routing > # KEYWORD: nojail > > > Modified: head/etc/rc.d/pflog > ============================================================================== > --- head/etc/rc.d/pflog Fri Jun 26 01:01:50 2009 (r195025) > +++ head/etc/rc.d/pflog Fri Jun 26 01:04:50 2009 (r195026) > @@ -4,7 +4,7 @@ > # > > # PROVIDE: pflog > -# REQUIRE: FILESYSTEMS cleanvar > +# REQUIRE: FILESYSTEMS netif cleanvar > # KEYWORD: nojail > > . /etc/rc.subr > > Modified: head/etc/rc.d/pfsync > ============================================================================== > --- head/etc/rc.d/pfsync Fri Jun 26 01:01:50 2009 (r195025) > +++ head/etc/rc.d/pfsync Fri Jun 26 01:04:50 2009 (r195026) > @@ -4,7 +4,7 @@ > # > > # PROVIDE: pfsync > -# REQUIRE: FILESYSTEMS > +# REQUIRE: FILESYSTEMS netif > # KEYWORD: nojail > > . /etc/rc.subr >