From owner-freebsd-bugs Thu May 3 16:30:13 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id EBB4D37B440 for ; Thu, 3 May 2001 16:30:03 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f43NU3H05505; Thu, 3 May 2001 16:30:03 -0700 (PDT) (envelope-from gnats) Received: from pille1.addcom.de (pille1.addcom.de [62.96.128.35]) by hub.freebsd.org (Postfix) with SMTP id 352AB37B422 for ; Thu, 3 May 2001 16:25:34 -0700 (PDT) (envelope-from sts@FreeBSD.org) Received: (qmail 14492 invoked from network); 3 May 2001 23:25:32 -0000 Received: from n-dialin-1610.addcom.de (HELO sts-home.stadtbuch.de) (62.246.9.178) by pille1.addcom.de with SMTP; 3 May 2001 23:25:32 -0000 Received: (from root@localhost) by sts-home.stadtbuch.de (8.11.3/8.11.3) id f43NQ5a21153 for freebsd-gnats-submit@freebsd.org; Fri, 4 May 2001 01:26:05 +0200 (CEST) (envelope-from sts) Received: (from sts@localhost) by sts-home.stadtbuch.de (8.11.3/8.11.3av) id f43NQ0c21144; Fri, 4 May 2001 01:26:00 +0200 (CEST) (envelope-from sts) Message-Id: <200105032326.f43NQ0c21144@sts-home.stadtbuch.de> Date: Fri, 4 May 2001 01:26:00 +0200 (CEST) From: stefan.schmidt@twest.de Reply-To: stefan.schmidt@twest.de To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 Subject: conf/27070: save/restore IP Filter's state tables at shutdown/reboot (patch) Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 27070 >Category: conf >Synopsis: save/restore IP Filter's state tables at shutdown/reboot (patch) >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Thu May 03 16:30:03 PDT 2001 >Closed-Date: >Last-Modified: >Originator: Stefan Schmidt >Release: FreeBSD 4.3-RC i386 >Organization: >Environment: System: FreeBSD sts-home.stadtbuch.de 4.3-RC FreeBSD 4.3-RC #0: Tue Apr 17 23:28:43 CEST 2001 root@sts-home.stadtbuch.de:/usr/obj/usr/src/sys/STSHOME i386 applies to both RELENG_4 and CURRENT. >Description: IP Filter's utility program "ipfs" is supposed to save and restore IP Filter's internal state tables. By saving state tables at shutdown and restoring them at boot-time, already established connections aren't disconnected (or hang, depending on your rules). >How-To-Repeat: (new functionality, thus no How-To-Repeat) >Fix: I've added a few new configuration parameters (ipfs_*) to etc/defaults/rc.conf that maybe overridden in etc/rc.conf: ipfs_enable, ipfs_flags, ipfs_program. The attached patches (against RELENG_4, but should also apply to CURRENT) also modify rc.network for restoring the state tables at boot-time. rc.shutdown saves the tables at shutdown-time. (is there a better place to put this?) Directory db/ipf was added to etc/mtree.var.dist. rc.conf(5) isn't ready yet but I'll happily provide patches to anyone who wants to commit this functionality. Note that PR bin/27063 (/sbin/ipfs missing) is a prerequisit. Index: rc.network =================================================================== RCS file: /home/cvs/src/etc/rc.network,v retrieving revision 1.74.2.14 diff -u -r1.74.2.14 rc.network --- rc.network 2001/03/06 02:21:59 1.74.2.14 +++ rc.network 2001/05/03 21:23:58 @@ -71,6 +71,15 @@ fi ;; esac + case "${ipfs_enable}" in + [Yy][Ee][Ss]) + if [ -r "/var/db/ipf/ipstate.ipf" ]; then + echo -n ' ipfs'; + eval ${ipfs_program:-/sbin/ipfs -R} \ + ${ipfs_flags} + fi + ;; + esac else ipfilter_enable="NO" echo -n ' NO IPF RULES' Index: rc.shutdown =================================================================== RCS file: /home/cvs/src/etc/rc.shutdown,v retrieving revision 1.4.2.9 diff -u -r1.4.2.9 rc.shutdown --- rc.shutdown 2001/03/12 13:29:24 1.4.2.9 +++ rc.shutdown 2001/05/03 21:24:37 @@ -83,6 +83,17 @@ ;; esac +# Save IP Filter state tables + +case ${ipfs_enable} in +[Yy][Ee][Ss]) + echo -n 'Saving IP Filter state tables:' + eval ${ipfs_program:-/sbin/ipfs -W} ${ipfs_flags} + ;; +esac + +echo . + # Insert other shutdown procedures here echo '.' Index: defaults/rc.conf =================================================================== RCS file: /home/cvs/src/etc/defaults/rc.conf,v retrieving revision 1.53.2.21 diff -u -r1.53.2.21 rc.conf --- defaults/rc.conf 2001/03/19 09:33:59 1.53.2.21 +++ defaults/rc.conf 2001/05/03 21:26:50 @@ -69,6 +69,10 @@ ipnat_program="/sbin/ipnat -CF -f" # program and how to specify rules file ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat ipnat_flags="" # additional flags for ipnat +ipfs_enable="YES" # Set to YES to enable saving and restoring + # of state tables at shutdown and boot +ipfs_flags="" # additional flags for ipfs +ipfs_program="/sbin/ipfs" # where the ipfs program lives ipmon_enable="NO" # Set to YES for ipmon; needs ipfilter, too! ipmon_program="/sbin/ipmon" # where the ipfilter monitor program lives ipmon_flags="-Ds" # typically "-Ds" or "-D /var/log/ipflog" Index: mtree/BSD.var.dist =================================================================== RCS file: /home/cvs/src/etc/mtree/BSD.var.dist,v retrieving revision 1.43.2.1 diff -u -r1.43.2.1 BSD.var.dist --- mtree/BSD.var.dist 2001/03/05 11:59:02 1.43.2.1 +++ mtree/BSD.var.dist 2001/05/03 22:50:30 @@ -26,6 +26,8 @@ .. /set mode=0755 db + ipf + .. pkg .. .. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message