Date: Sat, 20 Oct 2001 22:23:03 +0200 From: devet@devet.org (Arjan de Vet) To: darrenr@freebsd.org Cc: cvs-all@freebsd.org Subject: Re: cvs commit: src/etc rc.network rc.shutdown src/etc/defaults rc.conf src/etc/mtree BSD.var.dist Message-ID: <20011020222303.A35085@adv.devet.org> In-Reply-To: <20011020183537.A33620@adv.devet.org> References: <200110200433.f9K4XCc52779@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
>Hmm... with these default settings from defaults/rc.conf: > > ipfilter_program="/sbin/ipf -Fa -f" > ipfs_flags="" > ipfs_program="/sbin/ipfs" > >these kind of expressions in /etc/rc.network: > > ${ipfilter_program:-/sbin/ipf -y} > ${ipfs_program:-/sbin/ipfs -R} ${ipfs_flags} > >will evaluate to: > > /sbin/ipf -Fa -f > /sbin/ipfs > >and that's not what is intended in these cases I think. > >Furthermore I see these kind of expressions for ipfilter-related stuff >preceded by 'eval' a lot. That seems unnecessary to me. > >Let me see if I can cleanup and test this stuff this weekend, the >ipfilter_program and ipnat_program variables for example are the only >*_program variables in defaults/rc.conf to have options included :-(. Here's a patch which should solve the problems mentioned. I'm not running current at the moment so I have not been able to test this. I want to port it to -stable tomorrow and test it there tomorrow. The patch also starts ipmon before loading the filter rules (and not after loading filter rules as was previously the case). Furthermore loading of the state table is done after loading filter/nat rules (and not only after loading filter rules as was previously the case). Index: rc.network =================================================================== RCS file: /home/freebsd/CVS/src/etc/rc.network,v retrieving revision 1.109 diff -u -r1.109 rc.network --- rc.network 2001/10/20 04:46:32 1.109 +++ rc.network 2001/10/20 20:18:31 @@ -75,25 +75,16 @@ echo "Warning: ipfilter kernel module failed to load." fi + case "${ipmon_enable}" in + [Yy][Ee][Ss]) + echo -n ' ipmon' + ${ipmon_program:-/sbin/ipmon} ${ipmon_flags} + ;; + esac if [ -r "${ipfilter_rules}" ]; then echo -n ' ipfilter'; - ${ipfilter_program:-/sbin/ipf -Fa -f} \ + ${ipfilter_program:-/sbin/ipf} -Fa -f \ "${ipfilter_rules}" ${ipfilter_flags} - case "${ipmon_enable}" in - [Yy][Ee][Ss]) - echo -n ' ipmon' - ${ipmon_program:-/sbin/ipmon} ${ipmon_flags} - ;; - esac - case "${ipfs_enable}" in - [Yy][Ee][Ss]) - if [ -r "/var/db/ipf/ipstate.ipf" ]; then - echo -n ' ipfs'; - eval ${ipfs_program:-/sbin/ipfs -R} \ - ${ipfs_flags} - fi - ;; - esac else ipfilter_enable="NO" echo -n ' NO IPF RULES' @@ -109,13 +100,22 @@ fi if [ -r "${ipnat_rules}" ]; then echo -n ' ipnat'; - eval ${ipnat_program:-/sbin/ipnat -CF -f} \ - "${ipnat_rules}" ${ipnat_flags} + ${ipnat_program:-/sbin/ipnat} -CF -f \ + "${ipnat_rules}" ${ipnat_flags} else echo -n ' NO IPNAT RULES' fi ;; esac + case "${ipfs_enable}" in + [Yy][Ee][Ss]) + if [ -r "/var/db/ipf/ipstate.ipf" ]; then + echo -n ' ipfs'; + ${ipfs_program:-/sbin/ipfs} -R \ + ${ipfs_flags} + fi + ;; + esac # Set the domainname if we're using NIS # @@ -279,12 +279,12 @@ # case ${ipfilter_enable} in [Yy][Ee][Ss]) - ${ipfilter_program:-/sbin/ipf -y} + ${ipfilter_program:-/sbin/ipf} -y ;; *) case ${ipnat_enable} in [Yy][Ee][Ss]) - ${ipfilter_program:-/sbin/ipf -y} + ${ipfilter_program:-/sbin/ipf} -y ;; esac esac Index: rc.shutdown =================================================================== RCS file: /home/freebsd/CVS/src/etc/rc.shutdown,v retrieving revision 1.18 diff -u -r1.18 rc.shutdown --- rc.shutdown 2001/10/20 04:32:57 1.18 +++ rc.shutdown 2001/10/20 17:09:04 @@ -129,7 +129,7 @@ case ${ipfs_enable} in [Yy][Ee][Ss]) echo -n 'Saving IP Filter state tables:' - eval ${ipfs_program:-/sbin/ipfs -W} ${ipfs_flags} + ${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags} ;; esac Index: defaults/rc.conf =================================================================== RCS file: /home/freebsd/CVS/src/etc/defaults/rc.conf,v retrieving revision 1.130 diff -u -r1.130 rc.conf --- defaults/rc.conf 2001/10/20 04:33:02 1.130 +++ defaults/rc.conf 2001/10/20 17:00:49 @@ -61,8 +61,7 @@ natd_interface="fxp0" # Public interface or IPaddress to use. natd_flags="" # Additional flags for natd. ipfilter_enable="NO" # Set to YES to enable ipfilter functionality -ipfilter_program="/sbin/ipf -Fa -f" - # program and how to specify the rules file, +ipfilter_program="/sbin/ipf" # program and how to specify the rules file, # see /etc/rc.network (pass1) for details ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see # /usr/src/contrib/ipfilter/rules for examples @@ -70,7 +69,7 @@ # (i.e. compiled into the kernel) to # avoid a warning about "already initialized" ipnat_enable="NO" # Set to YES for ipnat; needs ipfilter, too! -ipnat_program="/sbin/ipnat -CF -f" # program and how to specify rules file +ipnat_program="/sbin/ipnat" # program and how to specify rules file ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat ipnat_flags="" # additional flags for ipnat ipfs_enable="NO" # Set to YES to enable saving and restoring Arjan -- Arjan de Vet, Eindhoven, The Netherlands <devet@devet.org> URL: http://www.iae.nl/users/devet/ <Arjan.deVet@adv.iae.nl> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011020222303.A35085>