From owner-cvs-all  Mon Mar 18 18: 1:33 2002
Delivered-To: cvs-all@freebsd.org
Received: from rwcrmhc54.attbi.com (rwcrmhc54.attbi.com [216.148.227.87])
	by hub.freebsd.org (Postfix) with ESMTP
	id 0AE3137B4BE; Mon, 18 Mar 2002 18:01:21 -0800 (PST)
Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc54.attbi.com
          (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP
          id <20020319020117.HIEB1214.rwcrmhc54.attbi.com@blossom.cjclark.org>;
          Tue, 19 Mar 2002 02:01:17 +0000
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.11.6/8.11.6) id g2J21GQ61569;
	Mon, 18 Mar 2002 18:01:16 -0800 (PST)
	(envelope-from cjc)
Date: Mon, 18 Mar 2002 18:01:16 -0800
From: "Crist J. Clark" <crist.clark@attbi.com>
To: Arjan de Vet <devet@devet.org>
Cc: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG
Subject: Re: cvs commit: src/etc rc.network
Message-ID: <20020318180116.E60554@blossom.cjclark.org>
Reply-To: cjclark@alum.mit.edu
References: <200203122025.g2CKPP966458@freefall.freebsd.org> <20020318205732.GA1013@adv.devet.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20020318205732.GA1013@adv.devet.org>; from devet@devet.org on Mon, Mar 18, 2002 at 09:57:32PM +0100
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

On Mon, Mar 18, 2002 at 09:57:32PM +0100, Arjan de Vet wrote:
> In article <200203122025.g2CKPP966458@freefall.freebsd.org> you write:
> 
> >cjc         2002/03/12 12:25:25 PST
> >
> >  Modified files:
> >    etc                  rc.network 
> >  Log:
> >  The reload of ipf(8) rules should depend on $ipfilter_enable, not
> >  $ipfilter_active. $ipfilter_enable is set to "NO" if modules fail to
> >  load, and $ipfilter_active can be "YES" when we are not using ipf(8).
> 
> I'm not sure this is right. $ipfilter_active is true if $ipfilter_enable
> or $ipnat_enable are "YES". In both cases the in-kernel interface list
> should be resync'ed, not only the $ipfilter_enable case.

Good point.

> 'ipf -y' is not
> the reloading of ipf rules btw.

I know, but "resync" doesn't really sound right to me either.

> A better fix might be to unset $ipfilter_active in case the ipf module
> fails to load (diff relative to 1.128):

[snip]

There _was_ a reason I didn't do that... but I can't remember now so
it cannot be that important. Fixing the potential problems with
ipnat(8)-only configurations is more important.

Thanks for catching this. Too bad it didn't get caught before I MFC'ed
it to -STABLE. :(
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message