From owner-freebsd-bugs@FreeBSD.ORG Sun Apr 6 16:40:01 2014 Return-Path: Delivered-To: freebsd-bugs@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2E8F54E9 for ; Sun, 6 Apr 2014 16:40:01 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E7396E91 for ; Sun, 6 Apr 2014 16:40:00 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s36Ge0l1051110 for ; Sun, 6 Apr 2014 16:40:00 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s36Ge0S0051109; Sun, 6 Apr 2014 16:40:00 GMT (envelope-from gnats) Resent-Date: Sun, 6 Apr 2014 16:40:00 GMT Resent-Message-Id: <201404061640.s36Ge0S0051109@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Frank Volf Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6FB3D2AC for ; Sun, 6 Apr 2014 16:37:07 +0000 (UTC) Received: from cgiserv.freebsd.org (cgiserv.freebsd.org [IPv6:2001:1900:2254:206a::50:4]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5D2A1E6F for ; Sun, 6 Apr 2014 16:37:07 +0000 (UTC) Received: from cgiserv.freebsd.org ([127.0.1.6]) by cgiserv.freebsd.org (8.14.8/8.14.8) with ESMTP id s36Gb770078533 for ; Sun, 6 Apr 2014 16:37:07 GMT (envelope-from nobody@cgiserv.freebsd.org) Received: (from nobody@localhost) by cgiserv.freebsd.org (8.14.8/8.14.8/Submit) id s36Gb6nj078527; Sun, 6 Apr 2014 16:37:06 GMT (envelope-from nobody) Message-Id: <201404061637.s36Gb6nj078527@cgiserv.freebsd.org> Date: Sun, 6 Apr 2014 16:37:06 GMT From: Frank Volf To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Subject: misc/188318: service ipfilter reload does not work X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2014 16:40:01 -0000 >Number: 188318 >Category: misc >Synopsis: service ipfilter reload does not work >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Apr 06 16:40:00 UTC 2014 >Closed-Date: >Last-Modified: >Originator: Frank Volf >Release: FreeBSD 10-STABLE >Organization: >Environment: FreeBSD drawbridge.internal.deze.org 10.0-STABLE FreeBSD 10.0-STABLE #0 r262433: Mon Feb 24 16:25:35 CET 2014 root@drawbridge-new.internal.deze.org:/usr/obj/usr/sources/src10-stable/sys/SHUTTLE i386 >Description: If you modify your ipfilter rule set and issue an 'service ipfilter reload' an empty ipv4 rule set will be loaded. You can see this with the 'ipfstat -ionh' command. >How-To-Repeat: Issue 'service ipfilter reload' >Fix: The issue is caused by an error in the /etc/rc.d/ipfilter script. In this script the command '${ipfilter_program:-/sbin/ipf} -I -6 -Fa' is used to flush the inactive rule set. However this command does not work as expected. If flushes both the IPv4 and the IPv6 inactive ruleset. So, the new ipfilter rule set loaded just above this command, is immediately removed. The fix is simple: comment out this line and it works fine (above this line there is alerady a ' ${ipfilter_program:-/sbin/ipf} -I -Fa' that flushes both the inactive IPv4 and the IPv6 rule base. >Release-Note: >Audit-Trail: >Unformatted: