From owner-freebsd-stable  Wed Mar 14  3:37:25 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from johnson.mail.mindspring.net (johnson.mail.mindspring.net [207.69.200.177])
	by hub.freebsd.org (Postfix) with ESMTP id A729137B719
	for <stable@FreeBSD.ORG>; Wed, 14 Mar 2001 03:37:19 -0800 (PST)
	(envelope-from mvh@ix.netcom.com)
Received: from netcom1.netcom.com (lai-ca3c-25.ix.netcom.com [209.110.242.25])
	by johnson.mail.mindspring.net (8.9.3/8.8.5) with ESMTP id GAA26175;
	Wed, 14 Mar 2001 06:37:16 -0500 (EST)
Received: by netcom1.netcom.com (Postfix, from userid 1000)
	id 741AF1140FC; Wed, 14 Mar 2001 03:36:40 -0800 (PST)
From: Mike Harding <mvh@ix.netcom.com>
To: zingelman@fnal.gov
Cc: stable@FreeBSD.ORG
In-reply-to: <Pine.GSO.4.30.0103132009500.28627-100000@nova.fnal.gov> (message
	from Tim Zingelman on Tue, 13 Mar 2001 20:37:49 -0600 (CST))
Subject: Re: /etc/default/rc.conf bad default ipfilter_flags?
References:  <Pine.GSO.4.30.0103132009500.28627-100000@nova.fnal.gov>
Message-Id: <20010314113640.741AF1140FC@netcom1.netcom.com>
Date: Wed, 14 Mar 2001 03:36:40 -0800 (PST)
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


I can confirm that the "-E" seems to be unecessary for both kernel and
kernel module loads.

I can also confirm that ppp does not play well with ipfilter because
ipfilter needs a 'ipf -y' to pick up the dynamically configured
interfaces - it's set up before these interfaces exist, so that any
rules applying to them don't work!  I stick a 'ipf -y' near the end of
pass 1 in /etc/rc.network but this is my local hack.

- Mike Harding

   X-Authentication-Warning: nova.fnal.gov: tez owned process doing -bs
   Date: Tue, 13 Mar 2001 20:37:49 -0600 (CST)
   From: Tim Zingelman <zingelman@fnal.gov>
   X-Sender:  <tez@nova.fnal.gov>
   Content-Type: TEXT/PLAIN; charset=US-ASCII
   Sender: owner-freebsd-stable@FreeBSD.ORG
   X-Loop: FreeBSD.ORG
   Precedence: bulk

   Running 4.3-Beta, cvsupped early on 3/13/01.

   These lines are either confusing or wrong.  Possibly something has changed
   in the default state (now enabled?) of the ipfilter module.

   ipfilter_flags="-E"          # should be *empty* when ipf is _not_ a module
				# (i.e. compiled into the kernel) to
				# avoid a warning about "already initialized"

   I load ipf as a module by adding a line to /boot/loader.conf:
   ipl_load="YES"

   Running a GENERIC kernel.

   I have a valid rules file at /etc/ipf.rules

   I add the following line to /etc/rc.conf:
   ipfilter_enable="YES"

   and when I boot I get...
   from dmesg:
   IP Filter: v3.4.16 initialized.  Default = pass all, Logging = enabled

   from /var/log/console.log:
   Mar 13 19:32:59 port /kernel: Doing initial network setup:
   Mar 13 19:32:59 port /kernel: hostname
   Mar 13 19:32:59 port /kernel: ipfilter
   Mar 13 19:32:59 port /kernel: SIOCFRENB: Invalid argument
   Mar 13 19:32:59 port /kernel: .
   Mar 13 19:32:59 port /kernel: fxp0: flags=8843<UP,BROADCAST,RUNNING...

   If I add this line to /etc/rc.conf:
   ipfilter_flags=""

   The "SIOCFRENB: Invalid argument" message goes away, and ipf IS working.

   So if the comment is correct that -E is not needed for compiled into the
   kernel ipf, and I am correct that -E is not needed for module loaded ipf,
   I'd like to see the default change to "" and have the comment changed...

   +ipfilter_flags=""		# Flags to ipfilter (if enabled).
   -ipfilter_flags="-E"		# should be *empty* when ipf is _not_ a module
   -				# (i.e. compiled into the kernel) to
   -				# avoid a warning about "already initialized"

   If someone can verify my findings I could submit a PR.

   Thanks,

     - Tim



   To Unsubscribe: send mail to majordomo@FreeBSD.org
   with "unsubscribe freebsd-stable" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message