From owner-freebsd-mobile  Wed Oct 24 11:28:29 2001
Delivered-To: freebsd-mobile@freebsd.org
Received: from mighty.grot.org (mighty.grot.org [216.15.97.5])
	by hub.freebsd.org (Postfix) with ESMTP
	id 9B17A37B406; Wed, 24 Oct 2001 11:28:19 -0700 (PDT)
Received: by mighty.grot.org (Postfix, from userid 515)
	id 4ED785E04; Wed, 24 Oct 2001 11:28:19 -0700 (PDT)
Date: Wed, 24 Oct 2001 11:28:19 -0700
From: "R.P. Aditya" <aditya@grot.org>
To: freebsd-security@freebsd.org
Cc: freebsd-mobile@freebsd.org
Subject: ipfilter resync on pccard_ether insertions?
Message-ID: <20011024112819.A27379@mighty.grot.org>
Reply-To: "R.P. Aditya" <aditya@grot.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-PGP-Key: http://www.grot.org/pubkey.asc
X-PGP-Key-ID: 0x6405D8D5
Sender: owner-freebsd-mobile@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-mobile.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-mobile>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-mobile>
X-Loop: FreeBSD.org

Hi,

AFAIK, any time a new interface is added, ipfilter needs to be "resynced" with
an "ipf -y":

       -y     Manually resync the in-kernel interface list  main-
              tained by IP Filter with the current interface sta-
              tus list.

to facilitate this for pccard interfaces, I made some local changes to
/etc/defaults/rc.conf and /etc/pccard_ether; do these changes look reasonable?
Can someone recommend a better approach? (My ipf.rules protect the entire box
regardless of interface so it seems to work fine) If not, any objections to
commiting this?:

diff -r1.1 /etc/defaults/rc.conf
62c62
< ipfilter_program="/sbin/ipf -Fa -f"
---
> ipfilter_program="/sbin/ipf"
67c67
< ipfilter_flags="-E"           # should be *empty* when ipf is _not_ a module
---
> ipfilter_flags=" -Fa -f"      # should be *empty* when ipf is _not_ a module

and:

diff -r1.1 /etc/pccard_ether
9a10,15
> if [ -x /usr/bin/logger ]; then
>       LOGGER="/usr/bin/logger -s -p user.notice -t pccard_ether"
> else
>       LOGGER=echo
> fi
> 
29a36,45
> 
>               #resync ipf if we bring up a new interface
>               if /sbin/ipfstat -i > /dev/null 2>&1; then
>                       case "${ipfilter_enable}" in
>                       [Yy][Ee][Ss])
>                               ${ipfilter_program:-/sbin/ipf} -y
>                               $LOGGER "Resyncing ipf to use new interface"
>                       ;;
>                       esac
>               fi
31c47
<               echo "${dhcp_program}: DHCP client software not available"
---
>               $LOGGER "${dhcp_program}: DHCP client software not available"

Thanks,
Adi

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-mobile" in the body of the message