Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 18 Mar 2002 21:57:32 +0100
From:      devet@devet.org (Arjan de Vet)
To:        cjc@FreeBSD.org
Cc:        cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   Re: cvs commit: src/etc rc.network
Message-ID:  <20020318205732.GA1013@adv.devet.org>
In-Reply-To: <200203122025.g2CKPP966458@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
In article <200203122025.g2CKPP966458@freefall.freebsd.org> you write:

>cjc         2002/03/12 12:25:25 PST
>
>  Modified files:
>    etc                  rc.network 
>  Log:
>  The reload of ipf(8) rules should depend on $ipfilter_enable, not
>  $ipfilter_active. $ipfilter_enable is set to "NO" if modules fail to
>  load, and $ipfilter_active can be "YES" when we are not using ipf(8).

I'm not sure this is right. $ipfilter_active is true if $ipfilter_enable
or $ipnat_enable are "YES". In both cases the in-kernel interface list
should be resync'ed, not only the $ipfilter_enable case. 'ipf -y' is not
the reloading of ipf rules btw.

A better fix might be to unset $ipfilter_active in case the ipf module
fails to load (diff relative to 1.128):

Index: rc.network
===================================================================
RCS file: /home/freebsd/CVS/src/etc/rc.network,v
retrieving revision 1.128
diff -u -r1.128 rc.network
--- rc.network	12 Mar 2002 20:25:25 -0000	1.128
+++ rc.network	18 Mar 2002 20:52:21 -0000
@@ -89,6 +89,7 @@
 				ipfilter_enable="NO"
 				ipnat_enable="NO"
 				ipfs_enable="NO"
+				ipfilter_active="NO"
 			fi
 		fi
 		# start ipmon before loading any rules
@@ -298,11 +299,12 @@
 
 	# Re-Sync ipfilter so it picks up any new network interfaces
 	#
-	case ${ipfilter_enable} in
+	case ${ipfilter_active} in
 	[Yy][Ee][Ss])
 		${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} >/dev/null
 		;;
 	esac
+	unset ipfilter_active
 
 	# Initialize IP filtering using ipfw
 	#

This should solve the problem of calling 'ipf -y' when the ipfilter
kernel module fails to load without losing the 'ipf -y' functionality in
case only ipnat is used.

Arjan

-- 
Arjan de Vet, Eindhoven, The Netherlands               <devet@devet.org>
URL : http://www.iae.nl/users/devet/            <Arjan.deVet@adv.iae.nl>
Work: http://www.madison-gurkha.com/  (Security, Open Source, Education)

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020318205732.GA1013>