From owner-freebsd-bugs  Wed Oct 24 13: 0:12 2001
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id CAECC37B405
	for <freebsd-bugs@hub.freebsd.org>; Wed, 24 Oct 2001 13:00:01 -0700 (PDT)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.4/8.11.4) id f9OK01k93067;
	Wed, 24 Oct 2001 13:00:01 -0700 (PDT)
	(envelope-from gnats)
Received: from b80216.upc-b.chello.nl (b80216.upc-b.chello.nl [212.83.80.216])
	by hub.freebsd.org (Postfix) with ESMTP id 0823A37B403
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 24 Oct 2001 12:57:39 -0700 (PDT)
Received: from adv.devet.org (adv.devet.org [192.168.1.2])
	by b80216.upc-b.chello.nl (Postfix) with ESMTP id 5812F689D
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 24 Oct 2001 21:57:37 +0200 (CEST)
Received: by adv.devet.org (Postfix, from userid 100)
	id 50075413F; Wed, 24 Oct 2001 21:57:35 +0200 (CEST)
Message-Id: <20011024195735.50075413F@adv.devet.org>
Date: Wed, 24 Oct 2001 21:57:35 +0200 (CEST)
From: Arjan de Vet <devet@devet.org>
Reply-To: Arjan de Vet <devet@devet.org>
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.113
Subject: conf/31482: ipfilter /etc/rc.* bug fixes and manual page update
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org


>Number:         31482
>Category:       conf
>Synopsis:       ipfilter /etc/rc.* bug fixes and manual page update
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Oct 24 13:00:01 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     Arjan de Vet
>Release:        FreeBSD 4.4-STABLE i386
>Organization:
Madison Gurkha
>Environment:
System: FreeBSD adv.devet.org 4.4-STABLE FreeBSD 4.4-STABLE #6: Mon Oct 22 00:16:23 CEST 2001 root@adv.devet.org:/home/freebsd/obj/home/freebsd/src/sys/ADV i386


>Description:
	ipfilter /etc/rc.* bug fixes including manual page update
	
>How-To-Repeat:

    darrenr     2001/10/19 21:33:12 PDT

      Modified files:
	etc                  rc.network rc.shutdown 
	etc/defaults         rc.conf 
      Log:
      Put in place for using ipfs use on shutdown and startup.
      
      PR:		27070
      
      Revision  Changes    Path
      1.130     +5 -1      src/etc/defaults/rc.conf
      1.107     +10 -1     src/etc/rc.network
      1.18      +12 -1     src/etc/rc.shutdown

Hmm... with these default settings from defaults/rc.conf:

    ipfilter_program="/sbin/ipf -Fa -f"
    ipfs_flags=""
    ipfs_program="/sbin/ipfs"

these kind of expressions in /etc/rc.network:

    ${ipfilter_program:-/sbin/ipf -y}
    ${ipfs_program:-/sbin/ipfs -R} ${ipfs_flags}

will evaluate to:

    /sbin/ipf -Fa -f
    /sbin/ipfs

and that's not what is intended in these cases I think.

I also see these kind of expressions for ipfilter-related stuff preceded
by 'eval' a lot. That seems unnecessary to me.

Furthermore the ipfilter_program and ipnat_program variables are the
_only_ *_program variables in defaults/rc.conf to have options already
included :-(.

The patch referenced below will fix these problems (for stable and
current).

The patch also starts ipmon _before_ loading the ipf or ipnat filter/nat
rules (and not after loading filter rules as was previously the case).

Furthermore loading of the state table via ipfs(8) is done after loading
both filter and nat rules (and not only after loading filter rules as
was previously the case).

>Fix:

At

	http://home.iae.nl/users/devet/freebsd/

you can find two patches (rc.ipf.stable and rc.ipf.current) which
cleanup the ipfilter/ipnat/ipmon/ipfs startup code in the /etc/rc.*
framework. It even includes updates to the rc.conf.5 manual pages ;-).
Note that for stable /sbin/ipfs should be MFC'ed first!

I've tested the -stable version of the patch on my own firewall (doing
NAT too), and I can now reboot my firewall without loosing the active
connections ;-).
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message