From owner-cvs-src@FreeBSD.ORG Thu Aug 19 17:18:39 2004 Return-Path: Delivered-To: cvs-src@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A1E0C16A4CF; Thu, 19 Aug 2004 17:18:39 +0000 (GMT) Received: from shrike.submonkey.net (cpc2-cdif3-6-0-cust204.cdif.cable.ntl.com [81.103.67.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id B56F543D41; Thu, 19 Aug 2004 17:18:38 +0000 (GMT) (envelope-from setantae@submonkey.net) Received: from setantae by shrike.submonkey.net with local (Exim 4.41 (FreeBSD)) id 1BxqYd-000Fbo-Og; Thu, 19 Aug 2004 18:18:35 +0100 Date: Thu, 19 Aug 2004 18:18:35 +0100 From: Ceri Davies To: Andre Oppermann Message-ID: <20040819171835.GZ5433@submonkey.net> Mail-Followup-To: Ceri Davies , Andre Oppermann , Nate Lawson , John Birrell , src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org References: <200408172205.i7HM5sDs087606@repoman.freebsd.org> <20040819030854.GM99521@freebsd3.cimlogic.com.au> <41242606.6070604@root.org> <41247C7A.B21E7660@freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ZNotpC0yWfjHZxBL" Content-Disposition: inline In-Reply-To: <41247C7A.B21E7660@freebsd.org> X-PGP: finger ceri@FreeBSD.org User-Agent: Mutt/1.5.6i Sender: Ceri Davies cc: cvs-src@FreeBSD.org cc: src-committers@FreeBSD.org cc: cvs-all@FreeBSD.org cc: John Birrell cc: Nate Lawson Subject: Re: cvs commit: src/sys/conf files options src/sys/modules/ipfw Makefilesrc/sys/net bridge.c src/sys/netgraph ng_bridge.c src/sys/netinet ip_divert.cip_dummynet.c ip_dummynet.h ip_fastfwd.c ip_fw.h ip_fw2.c ip_fw_pfil.c ip_input.cip_output.c ... X-BeenThere: cvs-src@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS commit messages for the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Aug 2004 17:18:39 -0000 --ZNotpC0yWfjHZxBL Content-Type: multipart/mixed; boundary="hOmQO3H5Qmmwdmk8" Content-Disposition: inline --hOmQO3H5Qmmwdmk8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 19, 2004 at 12:10:03PM +0200, Andre Oppermann wrote: > Nate Lawson wrote: > >=20 > > John Birrell wrote: > > > On Tue, Aug 17, 2004 at 10:05:54PM +0000, Andre Oppermann wrote: > > > > > >>andre 2004-08-17 22:05:54 UTC > > >> > > >> FreeBSD src repository > > >> > > >> Modified files: > > >> sys/conf files options > > >> sys/modules/ipfw Makefile > > >> sys/net bridge.c > > >> sys/netgraph ng_bridge.c > > >> sys/netinet ip_divert.c ip_dummynet.c ip_dummynet.h > > >> ip_fastfwd.c ip_fw.h ip_fw2.c ip_input.c > > >> ip_output.c ip_var.h raw_ip.c tcp_input.c > > >> tcp_sack.c > > >> sys/sys mbuf.h > > >> Added files: > > >> sys/netinet ip_fw_pfil.c > > > > > > > > > A kernel config file which includes IPFIREWALL, but not PFIL_HOOKS wi= ll > > > not link (for obvious reasons). > > > > > > Also, the script /etc/rc.d/ipfw tests the 'enable' sysctl which is re= moved > > > by this commit. The result is that if a kernel is booted with ipfw bu= ilt > > > in, the /etc/rc.d/ipfw script tries to load the ipfw module. The modu= le > > > load fails (for obvious reasons), causing the ipfw initialisation to = fail > > > leaving the firewall in the deny-everything mode regardless of what is > > > configured in /etc/rc.conf. > > > > > > This is an issue for 5.3. [ I assume re@ are reading this list ] > >=20 > > I've been bitten by both. Actually, ipfw.ko won't load into a kernel > > built without PFIL_HOOKS. The duplicate load attempt also happens to m= e. >=20 > I'm looking into this and will have a fix later today. Hi Andre, I'd like to echo Nate's thanks for you spending effort to fix the problems here. Also, I think that the ipfirewall.4 manpage could use the following diff attached if PFIL_HOOKS is now mandatory. Cheers, Ceri --=20 It is not tinfoil, it is my new skin. I am a robot. --hOmQO3H5Qmmwdmk8 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="ipfw.man.diff" Index: src/share/man/man4/ipfirewall.4 =================================================================== RCS file: /home/ncvs/src/share/man/man4/ipfirewall.4,v retrieving revision 1.29 diff -u -r1.29 ipfirewall.4 --- src/share/man/man4/ipfirewall.4 29 Nov 2002 11:39:19 -0000 1.29 +++ src/share/man/man4/ipfirewall.4 19 Aug 2004 17:16:21 -0000 @@ -46,6 +46,8 @@ enable .Xr divert 4 sockets +.It Dv PFIL_HOOKS +add packet filter hooks .El .Sh SEE ALSO .Xr setsockopt 2 , @@ -53,4 +55,5 @@ .Xr ip 4 , .Xr ipfw 8 , .Xr sysctl 8 , -.Xr syslogd 8 +.Xr syslogd 8, +.Xr pfil 9 --hOmQO3H5Qmmwdmk8-- --ZNotpC0yWfjHZxBL Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (FreeBSD) iD8DBQFBJODrocfcwTS3JF8RAnNnAJ4qIyI+4SWReGbsEonzQ4+oQT7e9QCdGuM4 7qD1PN4nJw9fdpzzGW9aeaU= =yqMc -----END PGP SIGNATURE----- --ZNotpC0yWfjHZxBL--