From owner-freebsd-rc@FreeBSD.ORG Mon Mar 12 11:08:34 2007 Return-Path: X-Original-To: freebsd-rc@FreeBSD.org Delivered-To: freebsd-rc@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A39F416A503 for ; Mon, 12 Mar 2007 11:08:34 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 9607313C4B8 for ; Mon, 12 Mar 2007 11:08:34 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l2CB8YLU065185 for ; Mon, 12 Mar 2007 11:08:34 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l2CB8XKH065181 for freebsd-rc@FreeBSD.org; Mon, 12 Mar 2007 11:08:33 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 12 Mar 2007 11:08:33 GMT Message-Id: <200703121108.l2CB8XKH065181@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-rc@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Mar 2007 11:08:34 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o conf/48881 rc [PATCH] The influence of /etc/start_ifname on /etc/rc. o conf/98758 rc [patch] Templatize 'jail_fstab' in /etc/rc.d/jail o conf/98846 rc [patch] Templatize 'jail_rootdir' in /etc/rc.d/jail o bin/104623 rc "rc.d/ppp restart" stops all instances of ppp o conf/105689 rc syslogd starts too late at boot o conf/107155 rc /etc/rc.d/ppp-user does not bring up pppoe at boot o conf/107316 rc [rc.d]: [base] [rpc.lockd] nfslocking restart does not o conf/107364 rc pf fails to start on bootup after system update from F o conf/108226 rc second copy of ppp started at boot time 9 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o conf/45226 rc Fix for rc.network, ppp-user annoyance o conf/48870 rc [PATCH] rc.network: allow to cancel interface status d o conf/55916 rc [PATCH] ppp-user options o conf/58939 rc [patch] dumb little hack for /etc/rc.firewall{,6} o conf/73677 rc [patch] add support for powernow states to power_profi o conf/74817 rc [patch] network.subr: fixed automatic configuration of o conf/77663 rc Suggestion: add /etc/rc.d/addnetswap after addcritremo o conf/78906 rc [patch] Allow mixer_enable="NO" in rc.conf o conf/79196 rc [PATCH] configurable dummynet loading from /etc/rc.co o kern/81006 rc ipnat not working with tunnel interfaces on startup o conf/85363 rc syntax error in /etc/rc.d/devfs o conf/85819 rc [patch] script allowing multiuser mode in spite of fsc o conf/88913 rc [patch] wrapper support for rc.subr o conf/89061 rc [patch] IPv6 6to4 auto-configuration enhancement o conf/89870 rc [patch] feature request to make netif verbose rc.conf o conf/92523 rc [patch] allow rc scripts to kill process after a timeo o conf/93815 rc [patch] Adds in the ability to save ipfw rules to rc.d o conf/95162 rc [patch] Missing feature in rc.subr o conf/96343 rc [patch] rc.d order change to start inet6 before pf o conf/99444 rc [patch] Enhancement: rc.subr could easily support star o conf/99595 rc [PATCH] /etc/rc.d/dhclient doesn't interact well with o conf/99721 rc [patch] /etc/rc.initdiskless problem copy dotfile in s o conf/102700 rc [PATCH] Add encrypted /tmp support to GELI/GBDE rc.d s o conf/102722 rc kerberos5 server startupscript should use --detach o conf/102913 rc /etc/rc.d/named killall in jailed OS o conf/103486 rc [rc.d][patch][chroot named] rc.d/jail: mount fstab aft o conf/103489 rc [rc.d] [patch] named_chroot_autoupdate doesn't work in o conf/103976 rc rc.d/named restart failure o conf/104408 rc command not set in rc.d/isdnd, can't stop isdnd with t o conf/104549 rc [patch] rc.d/nfsd needs special _find_processes functi o conf/105145 rc [PATCH] add redial function to rc.d/ppp o conf/105568 rc [patch] Add more flexibility to rc.conf, to choose "_e o conf/106009 rc [patch] Fix pppoed startup script to process multiply o conf/106873 rc [patch] rc.d/nfslocking does not properly restart 34 problems total. From owner-freebsd-rc@FreeBSD.ORG Sat Mar 17 23:50:11 2007 Return-Path: X-Original-To: freebsd-rc@freebsd.org Delivered-To: freebsd-rc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4ADEF16A403 for ; Sat, 17 Mar 2007 23:50:11 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx24.fluidhosting.com [204.14.89.7]) by mx1.freebsd.org (Postfix) with SMTP id E9DCB13C4CB for ; Sat, 17 Mar 2007 23:50:10 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 8101 invoked by uid 399); 17 Mar 2007 23:50:09 -0000 Received: from localhost (HELO ?192.168.0.4?) (dougb@dougbarton.us@127.0.0.1) by localhost with SMTP; 17 Mar 2007 23:50:09 -0000 X-Originating-IP: 127.0.0.1 Message-ID: <45FC7EAE.803@FreeBSD.org> Date: Sat, 17 Mar 2007 16:50:06 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0b2 (Windows/20070116) MIME-Version: 1.0 To: Mark Andrews References: <200703171210.l2HCAD63046801@drugs.dv.isc.org> In-Reply-To: <200703171210.l2HCAD63046801@drugs.dv.isc.org> Content-Type: multipart/mixed; boundary="------------090805060704060603060007" Cc: freebsd-net@freebsd.org, freebsd-rc@freebsd.org Subject: Re: rc.order wrong (ipfw) X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Mar 2007 23:50:11 -0000 This is a multi-part message in MIME format. --------------090805060704060603060007 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit [ Re-locating this thread from -stable. ] Mark Andrews wrote: >> On Saturday 17 March 2007 03:58, Mark Andrews wrote: >> >>>>> nothing goes to this machine because by default everything is blocked >>>>> until >>>>> >>>>> you permit it >>>> You're absolutely correct, however your original post seems to have >>>> taken many of us by surprise, causing some of us (at least me!) to >>>> assume that you've changed the default method to allow. I'm obviously >>>> misunderstanding, so I apologise for that, but I hope you can see the >>>> reasoning behind my comments with what I knew at the time. :) >>> ipfw needs to be before networking or router discovery >>> fails for IPv6. >>> >>> http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/108589 >>> >> >> as default any network connection will fail so long as you do not permit it >> >> If rtsol fails or is called to early it is an rtsol problem and not an ipfw >> problem I guess >> >> named and ipfw before netif? > > ip6fw is before networking. ipfw is supposed to be taking > over from ip6fw. ipfw and ip6wf should be started at a > similar time. > > rtsol is approximately the equivalent to DHCP. The machine is > requesting a address from the network. It doesn't matter if > it is a router or a DHCP server that is suppling the address. > > DHCP only works because it bypasses the firefall. Mark, Currently the order (with some non-networking items removed) is: /etc/rc.d/ipfilter /etc/rc.d/ipnat /etc/rc.d/ipfs /etc/rc.d/sppp /etc/rc.d/auto_linklocal /etc/rc.d/pccard /etc/rc.d/netif /etc/rc.d/ip6addrctl /etc/rc.d/atm2 /etc/rc.d/pfsync /etc/rc.d/pflog /etc/rc.d/pf /etc/rc.d/isdnd /etc/rc.d/ppp /etc/rc.d/routing /etc/rc.d/ip6fw /etc/rc.d/network_ipv6 /etc/rc.d/ipsec /etc/rc.d/ipfw /etc/rc.d/nsswitch /etc/rc.d/mroute6d /etc/rc.d/route6d /etc/rc.d/mrouted /etc/rc.d/routed /etc/rc.d/NETWORKING ipfilter starts very early in the "late" section of rcorder, it requires mountcritlocal (the default early_late_divider) and has a BEFORE: netif. Currently ip6fw actually starts after routing (and therefore after netif). Before we move it I think someone who knows more about how rtsol works than I do should comment. AFAICT, network_ipv6 is going to need routing up. If ip6fw's functionality is going to be subsumed into ipfw, then changing ipfw to run before netif now, and nuking ip6fw later is probably sufficient. If it's reasonable to conclude that we want all the firewalls to start before netif, I see two ways to accomplish that. One would be to have netif REQUIRE ipfilter, pf, and ipfw. In some ways I think this is cleaner, but netif already has a pretty long REQUIRE line. The other way would be to add a new FIREWALLS placeholder for the REQUIREs I'm suggesting above, and then have netif REQUIRE that. If on the other hand, there is some reason NOT to start all the firewalls before netif, then things get more complicated. :) The attached patch changes the rcorder to the following: /etc/rc.d/sppp /etc/rc.d/ipfw /etc/rc.d/pfsync /etc/rc.d/pflog /etc/rc.d/pf /etc/rc.d/ipfilter /etc/rc.d/ipnat /etc/rc.d/ipfs /etc/rc.d/auto_linklocal /etc/rc.d/serial /etc/rc.d/netif /etc/rc.d/ip6addrctl /etc/rc.d/atm2 /etc/rc.d/isdnd /etc/rc.d/ppp /etc/rc.d/routing /etc/rc.d/ip6fw /etc/rc.d/network_ipv6 /etc/rc.d/ipsec /etc/rc.d/nsswitch /etc/rc.d/mroute6d /etc/rc.d/route6d /etc/rc.d/mrouted /etc/rc.d/routed /etc/rc.d/NETWORKING Thoughts? Doug -- This .signature sanitized for your protection --------------090805060704060603060007 Content-Type: text/plain; name="rc-firewalls.diff" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="rc-firewalls.diff" Index: ip6fw =================================================================== RCS file: /usr/local/ncvs/src/etc/rc.d/ip6fw,v retrieving revision 1.8 diff -u -r1.8 ip6fw --- ip6fw 31 Dec 2006 10:37:18 -0000 1.8 +++ ip6fw 17 Mar 2007 21:28:18 -0000 @@ -5,7 +5,6 @@ # PROVIDE: ip6fw # REQUIRE: routing -# BEFORE: network_ipv6 # KEYWORD: nojail . /etc/rc.subr Index: ipfilter =================================================================== RCS file: /usr/local/ncvs/src/etc/rc.d/ipfilter,v retrieving revision 1.26 diff -u -r1.26 ipfilter --- ipfilter 31 Dec 2006 10:37:18 -0000 1.26 +++ ipfilter 17 Mar 2007 21:15:21 -0000 @@ -6,7 +6,6 @@ # PROVIDE: ipfilter # REQUIRE: root mountcritlocal -# BEFORE: netif # KEYWORD: nojail . /etc/rc.subr Index: ipfs =================================================================== RCS file: /usr/local/ncvs/src/etc/rc.d/ipfs,v retrieving revision 1.6 diff -u -r1.6 ipfs --- ipfs 7 Oct 2004 13:55:26 -0000 1.6 +++ ipfs 17 Mar 2007 21:15:43 -0000 @@ -6,7 +6,6 @@ # PROVIDE: ipfs # REQUIRE: ipnat -# BEFORE: netif # KEYWORD: nojail shutdown . /etc/rc.subr Index: ipfw =================================================================== RCS file: /usr/local/ncvs/src/etc/rc.d/ipfw,v retrieving revision 1.14 diff -u -r1.14 ipfw --- ipfw 31 Dec 2006 10:37:18 -0000 1.14 +++ ipfw 17 Mar 2007 21:31:21 -0000 @@ -4,8 +4,7 @@ # # PROVIDE: ipfw -# REQUIRE: ppp -# BEFORE: NETWORKING +# REQUIRE: root mountcritlocal # KEYWORD: nojail . /etc/rc.subr Index: ipnat =================================================================== RCS file: /usr/local/ncvs/src/etc/rc.d/ipnat,v retrieving revision 1.15 diff -u -r1.15 ipnat --- ipnat 31 Dec 2006 10:37:18 -0000 1.15 +++ ipnat 17 Mar 2007 21:15:29 -0000 @@ -6,7 +6,6 @@ # PROVIDE: ipnat # REQUIRE: ipfilter -# BEFORE: DAEMON netif # KEYWORD: nojail . /etc/rc.subr Index: netif =================================================================== RCS file: /usr/local/ncvs/src/etc/rc.d/netif,v retrieving revision 1.22 diff -u -r1.22 netif --- netif 9 Feb 2007 12:11:26 -0000 1.22 +++ netif 17 Mar 2007 23:04:21 -0000 @@ -26,7 +26,8 @@ # # PROVIDE: netif -# REQUIRE: atm1 ipfilter mountcritlocal serial sppp sysctl +# REQUIRE: atm1 mountcritlocal serial sppp sysctl +# REQUIRE: ipfilter ipfs pf ipfw # KEYWORD: nojail . /etc/rc.subr Index: network_ipv6 =================================================================== RCS file: /usr/local/ncvs/src/etc/rc.d/network_ipv6,v retrieving revision 1.37 diff -u -r1.37 network_ipv6 --- network_ipv6 7 Oct 2004 13:55:26 -0000 1.37 +++ network_ipv6 17 Mar 2007 21:20:18 -0000 @@ -29,7 +29,7 @@ # # PROVIDE: network_ipv6 -# REQUIRE: routing +# REQUIRE: routing ip6fw # KEYWORD: nojail . /etc/rc.subr Index: pf =================================================================== RCS file: /usr/local/ncvs/src/etc/rc.d/pf,v retrieving revision 1.14 diff -u -r1.14 pf --- pf 31 Dec 2006 10:37:18 -0000 1.14 +++ pf 17 Mar 2007 21:18:13 -0000 @@ -4,8 +4,7 @@ # # PROVIDE: pf -# REQUIRE: root mountcritlocal netif pflog pfsync -# BEFORE: routing +# REQUIRE: root mountcritlocal pflog pfsync # KEYWORD: nojail . /etc/rc.subr Index: pflog =================================================================== RCS file: /usr/local/ncvs/src/etc/rc.d/pflog,v retrieving revision 1.10 diff -u -r1.10 pflog --- pflog 31 Dec 2006 10:37:18 -0000 1.10 +++ pflog 17 Mar 2007 21:18:21 -0000 @@ -4,7 +4,7 @@ # # PROVIDE: pflog -# REQUIRE: root mountcritlocal netif cleanvar +# REQUIRE: root mountcritlocal cleanvar # KEYWORD: nojail . /etc/rc.subr Index: pfsync =================================================================== RCS file: /usr/local/ncvs/src/etc/rc.d/pfsync,v retrieving revision 1.2 diff -u -r1.2 pfsync --- pfsync 31 Dec 2006 10:37:18 -0000 1.2 +++ pfsync 17 Mar 2007 21:18:33 -0000 @@ -4,7 +4,7 @@ # # PROVIDE: pfsync -# REQUIRE: root mountcritlocal netif +# REQUIRE: root mountcritlocal # KEYWORD: nojail . /etc/rc.subr --------------090805060704060603060007--