From owner-freebsd-bugs Wed Oct 24 13: 0:12 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id CAECC37B405 for ; Wed, 24 Oct 2001 13:00:01 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f9OK01k93067; Wed, 24 Oct 2001 13:00:01 -0700 (PDT) (envelope-from gnats) Received: from b80216.upc-b.chello.nl (b80216.upc-b.chello.nl [212.83.80.216]) by hub.freebsd.org (Postfix) with ESMTP id 0823A37B403 for ; Wed, 24 Oct 2001 12:57:39 -0700 (PDT) Received: from adv.devet.org (adv.devet.org [192.168.1.2]) by b80216.upc-b.chello.nl (Postfix) with ESMTP id 5812F689D for ; Wed, 24 Oct 2001 21:57:37 +0200 (CEST) Received: by adv.devet.org (Postfix, from userid 100) id 50075413F; Wed, 24 Oct 2001 21:57:35 +0200 (CEST) Message-Id: <20011024195735.50075413F@adv.devet.org> Date: Wed, 24 Oct 2001 21:57:35 +0200 (CEST) From: Arjan de Vet Reply-To: Arjan de Vet To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 Subject: conf/31482: ipfilter /etc/rc.* bug fixes and manual page update Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 31482 >Category: conf >Synopsis: ipfilter /etc/rc.* bug fixes and manual page update >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Oct 24 13:00:01 PDT 2001 >Closed-Date: >Last-Modified: >Originator: Arjan de Vet >Release: FreeBSD 4.4-STABLE i386 >Organization: Madison Gurkha >Environment: System: FreeBSD adv.devet.org 4.4-STABLE FreeBSD 4.4-STABLE #6: Mon Oct 22 00:16:23 CEST 2001 root@adv.devet.org:/home/freebsd/obj/home/freebsd/src/sys/ADV i386 >Description: ipfilter /etc/rc.* bug fixes including manual page update >How-To-Repeat: darrenr 2001/10/19 21:33:12 PDT Modified files: etc rc.network rc.shutdown etc/defaults rc.conf Log: Put in place for using ipfs use on shutdown and startup. PR: 27070 Revision Changes Path 1.130 +5 -1 src/etc/defaults/rc.conf 1.107 +10 -1 src/etc/rc.network 1.18 +12 -1 src/etc/rc.shutdown Hmm... with these default settings from defaults/rc.conf: ipfilter_program="/sbin/ipf -Fa -f" ipfs_flags="" ipfs_program="/sbin/ipfs" these kind of expressions in /etc/rc.network: ${ipfilter_program:-/sbin/ipf -y} ${ipfs_program:-/sbin/ipfs -R} ${ipfs_flags} will evaluate to: /sbin/ipf -Fa -f /sbin/ipfs and that's not what is intended in these cases I think. I also see these kind of expressions for ipfilter-related stuff preceded by 'eval' a lot. That seems unnecessary to me. Furthermore the ipfilter_program and ipnat_program variables are the _only_ *_program variables in defaults/rc.conf to have options already included :-(. The patch referenced below will fix these problems (for stable and current). The patch also starts ipmon _before_ loading the ipf or ipnat filter/nat rules (and not after loading filter rules as was previously the case). Furthermore loading of the state table via ipfs(8) is done after loading both filter and nat rules (and not only after loading filter rules as was previously the case). >Fix: At http://home.iae.nl/users/devet/freebsd/ you can find two patches (rc.ipf.stable and rc.ipf.current) which cleanup the ipfilter/ipnat/ipmon/ipfs startup code in the /etc/rc.* framework. It even includes updates to the rc.conf.5 manual pages ;-). Note that for stable /sbin/ipfs should be MFC'ed first! I've tested the -stable version of the patch on my own firewall (doing NAT too), and I can now reboot my firewall without loosing the active connections ;-). >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message