Site Navigation

Date:      Fri, 4 May 2001 01:26:00 +0200 (CEST)
From:      stefan.schmidt@twest.de
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   conf/27070: save/restore IP Filter's state tables at shutdown/reboot (patch)
Message-ID:  <200105032326.f43NQ0c21144@sts-home.stadtbuch.de>

---

next in thread | raw e-mail | index | archive | help

---

>Number:         27070
>Category:       conf
>Synopsis:       save/restore IP Filter's state tables at shutdown/reboot (patch)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 03 16:30:03 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     Stefan Schmidt
>Release:        FreeBSD 4.3-RC i386
>Organization:
>Environment:
System: FreeBSD sts-home.stadtbuch.de 4.3-RC FreeBSD 4.3-RC #0: Tue Apr 17 23:28:43 CEST 2001 root@sts-home.stadtbuch.de:/usr/obj/usr/src/sys/STSHOME i386

applies to both RELENG_4 and CURRENT.
>Description:
IP Filter's utility program "ipfs" is supposed to save and restore IP
Filter's internal state tables. By saving state tables at shutdown and
restoring them at boot-time, already established connections aren't
disconnected (or hang, depending on your rules).

>How-To-Repeat:
(new functionality, thus no How-To-Repeat)
>Fix:

I've added a few new configuration parameters (ipfs_*) to 
etc/defaults/rc.conf that maybe overridden in etc/rc.conf:
ipfs_enable, ipfs_flags, ipfs_program.

The attached patches (against RELENG_4, but should also 
apply to CURRENT) also modify rc.network for restoring
the state tables at boot-time. rc.shutdown saves the tables
at shutdown-time. (is there a better place to put this?)

Directory db/ipf was added to etc/mtree.var.dist.

rc.conf(5) isn't ready yet but I'll happily provide patches to
anyone who wants to commit this functionality.

Note that PR bin/27063 (/sbin/ipfs missing) is a prerequisit.

Index: rc.network
===================================================================
RCS file: /home/cvs/src/etc/rc.network,v
retrieving revision 1.74.2.14
diff -u -r1.74.2.14 rc.network
--- rc.network	2001/03/06 02:21:59	1.74.2.14
+++ rc.network	2001/05/03 21:23:58
@@ -71,6 +71,15 @@
 				fi
 				;;
 			esac
+			case "${ipfs_enable}" in
+			[Yy][Ee][Ss])
+				if [ -r "/var/db/ipf/ipstate.ipf" ]; then
+					echo -n ' ipfs';
+					eval ${ipfs_program:-/sbin/ipfs -R} \
+						${ipfs_flags}
+				fi
+				;;
+			esac
 		else
 			ipfilter_enable="NO"
 			echo -n ' NO IPF RULES'
Index: rc.shutdown
===================================================================
RCS file: /home/cvs/src/etc/rc.shutdown,v
retrieving revision 1.4.2.9
diff -u -r1.4.2.9 rc.shutdown
--- rc.shutdown	2001/03/12 13:29:24	1.4.2.9
+++ rc.shutdown	2001/05/03 21:24:37
@@ -83,6 +83,17 @@
 	;;
 esac
 
+# Save IP Filter state tables
+
+case ${ipfs_enable} in
+[Yy][Ee][Ss])
+	echo -n 'Saving IP Filter state tables:'
+	eval ${ipfs_program:-/sbin/ipfs -W} ${ipfs_flags}
+	;;
+esac
+
+echo .
+
 # Insert other shutdown procedures here
 
 echo '.'
Index: defaults/rc.conf
===================================================================
RCS file: /home/cvs/src/etc/defaults/rc.conf,v
retrieving revision 1.53.2.21
diff -u -r1.53.2.21 rc.conf
--- defaults/rc.conf	2001/03/19 09:33:59	1.53.2.21
+++ defaults/rc.conf	2001/05/03 21:26:50
@@ -69,6 +69,10 @@
 ipnat_program="/sbin/ipnat -CF -f" # program and how to specify rules file
 ipnat_rules="/etc/ipnat.rules"	# rules definition file for ipnat
 ipnat_flags=""			# additional flags for ipnat
+ipfs_enable="YES"		# Set to YES to enable saving and restoring 
+				# of state tables at shutdown and boot
+ipfs_flags=""			# additional flags for ipfs
+ipfs_program="/sbin/ipfs"	# where the ipfs program lives
 ipmon_enable="NO"		# Set to YES for ipmon; needs ipfilter, too!
 ipmon_program="/sbin/ipmon"	# where the ipfilter monitor program lives
 ipmon_flags="-Ds"		# typically "-Ds" or "-D /var/log/ipflog"
Index: mtree/BSD.var.dist
===================================================================
RCS file: /home/cvs/src/etc/mtree/BSD.var.dist,v
retrieving revision 1.43.2.1
diff -u -r1.43.2.1 BSD.var.dist
--- mtree/BSD.var.dist	2001/03/05 11:59:02	1.43.2.1
+++ mtree/BSD.var.dist	2001/05/03 22:50:30
@@ -26,6 +26,8 @@
     ..
 /set mode=0755
     db
+        ipf
+        ..
         pkg
         ..
     ..
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200105032326.f43NQ0c21144>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact