Date: Wed, 14 Mar 2001 03:36:40 -0800 (PST) From: Mike Harding <mvh@ix.netcom.com> To: zingelman@fnal.gov Cc: stable@FreeBSD.ORG Subject: Re: /etc/default/rc.conf bad default ipfilter_flags? Message-ID: <20010314113640.741AF1140FC@netcom1.netcom.com> In-Reply-To: <Pine.GSO.4.30.0103132009500.28627-100000@nova.fnal.gov> (message from Tim Zingelman on Tue, 13 Mar 2001 20:37:49 -0600 (CST)) References: <Pine.GSO.4.30.0103132009500.28627-100000@nova.fnal.gov>
next in thread | previous in thread | raw e-mail | index | archive | help
I can confirm that the "-E" seems to be unecessary for both kernel and
kernel module loads.
I can also confirm that ppp does not play well with ipfilter because
ipfilter needs a 'ipf -y' to pick up the dynamically configured
interfaces - it's set up before these interfaces exist, so that any
rules applying to them don't work! I stick a 'ipf -y' near the end of
pass 1 in /etc/rc.network but this is my local hack.
- Mike Harding
X-Authentication-Warning: nova.fnal.gov: tez owned process doing -bs
Date: Tue, 13 Mar 2001 20:37:49 -0600 (CST)
From: Tim Zingelman <zingelman@fnal.gov>
X-Sender: <tez@nova.fnal.gov>
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-stable@FreeBSD.ORG
X-Loop: FreeBSD.ORG
Precedence: bulk
Running 4.3-Beta, cvsupped early on 3/13/01.
These lines are either confusing or wrong. Possibly something has changed
in the default state (now enabled?) of the ipfilter module.
ipfilter_flags="-E" # should be *empty* when ipf is _not_ a module
# (i.e. compiled into the kernel) to
# avoid a warning about "already initialized"
I load ipf as a module by adding a line to /boot/loader.conf:
ipl_load="YES"
Running a GENERIC kernel.
I have a valid rules file at /etc/ipf.rules
I add the following line to /etc/rc.conf:
ipfilter_enable="YES"
and when I boot I get...
from dmesg:
IP Filter: v3.4.16 initialized. Default = pass all, Logging = enabled
from /var/log/console.log:
Mar 13 19:32:59 port /kernel: Doing initial network setup:
Mar 13 19:32:59 port /kernel: hostname
Mar 13 19:32:59 port /kernel: ipfilter
Mar 13 19:32:59 port /kernel: SIOCFRENB: Invalid argument
Mar 13 19:32:59 port /kernel: .
Mar 13 19:32:59 port /kernel: fxp0: flags=8843<UP,BROADCAST,RUNNING...
If I add this line to /etc/rc.conf:
ipfilter_flags=""
The "SIOCFRENB: Invalid argument" message goes away, and ipf IS working.
So if the comment is correct that -E is not needed for compiled into the
kernel ipf, and I am correct that -E is not needed for module loaded ipf,
I'd like to see the default change to "" and have the comment changed...
+ipfilter_flags="" # Flags to ipfilter (if enabled).
-ipfilter_flags="-E" # should be *empty* when ipf is _not_ a module
- # (i.e. compiled into the kernel) to
- # avoid a warning about "already initialized"
If someone can verify my findings I could submit a PR.
Thanks,
- Tim
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010314113640.741AF1140FC>