From owner-freebsd-rc@FreeBSD.ORG Sun Mar 18 00:02:51 2007 Return-Path: X-Original-To: freebsd-rc@freebsd.org Delivered-To: freebsd-rc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0BE3C16A403 for ; Sun, 18 Mar 2007 00:02:51 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx24.fluidhosting.com [204.14.89.7]) by mx1.freebsd.org (Postfix) with SMTP id CB2A813C48A for ; Sun, 18 Mar 2007 00:02:50 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 18152 invoked by uid 399); 18 Mar 2007 00:02:50 -0000 Received: from localhost (HELO ?192.168.0.4?) (dougb@dougbarton.us@127.0.0.1) by localhost with SMTP; 18 Mar 2007 00:02:50 -0000 X-Originating-IP: 127.0.0.1 Message-ID: <45FC81A6.906@FreeBSD.org> Date: Sat, 17 Mar 2007 17:02:46 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0b2 (Windows/20070116) MIME-Version: 1.0 To: freebsd-rc@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Ok to cvs rm rc.d/bootconf.sh? X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Mar 2007 00:02:51 -0000 bootconf.sh is still in src/etc/rc.d, although it's not hooked up. Any objections to deleting it? Doug -- This .signature sanitized for your protection From owner-freebsd-rc@FreeBSD.ORG Sun Mar 18 00:30:37 2007 Return-Path: X-Original-To: freebsd-rc@freebsd.org Delivered-To: freebsd-rc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5016816A401 for ; Sun, 18 Mar 2007 00:30:37 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx24.fluidhosting.com [204.14.89.7]) by mx1.freebsd.org (Postfix) with SMTP id 0579B13C469 for ; Sun, 18 Mar 2007 00:30:36 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 5642 invoked by uid 399); 18 Mar 2007 00:30:36 -0000 Received: from localhost (HELO ?192.168.0.4?) (dougb@dougbarton.us@127.0.0.1) by localhost with SMTP; 18 Mar 2007 00:30:36 -0000 X-Originating-IP: 127.0.0.1 Message-ID: <45FC8829.7000206@FreeBSD.org> Date: Sat, 17 Mar 2007 17:30:33 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0b2 (Windows/20070116) MIME-Version: 1.0 To: freebsd-rc@freebsd.org Content-Type: multipart/mixed; boundary="------------050607040402050700090108" Subject: rc.d/resolv currently not being run under certain circumstances X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Mar 2007 00:30:37 -0000 This is a multi-part message in MIME format. --------------050607040402050700090108 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Due to the fact that scripts which are ordered before early_late_divider in the second run are not executed (see rc), if a script gets reordered into the early phase as a result of including the local startups, it won't be run at all. On at least one of my systems that's happening to resolv (in both HEAD and RELENG_6). It goes from close to last in rcorder (after securelevel) to absolutely first after you include the local startups I have (nothing exciting, just a few ports). Currently resolv is a little thin in terms of ordering hints. It contains only PROVIDE and KEYWORD, and nothing REQUIREs it. Can someone who knows what this script is for (brooks?) add either a REQUIRE in or for resolv, or both? The CVS logs seem to indicate that it's related to diskless booting, so I don't want to touch it if I don't have to. :) FWIW, I use the attached patch to rc to debug this problem. -- This .signature sanitized for your protection --------------050607040402050700090108 Content-Type: text/plain; name="rc-debug.diff" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="rc-debug.diff" --- /etc/rc Sat May 6 21:00:23 2006 +++ rc Sat Mar 17 16:45:13 2007 @@ -85,8 +47,12 @@ # files=`rcorder ${skip} /etc/rc.d/* 2>/dev/null` +# XXX +rm -f rc.early* rc.late + for _rc_elem in ${files}; do - run_rc_script ${_rc_elem} ${_boot} + #run_rc_script ${_rc_elem} ${_boot} + echo $_rc_elem >> rc.early1 case "$_rc_elem" in */${early_late_divider}) break ;; @@ -107,15 +73,21 @@ _skip_early=1 for _rc_elem in ${files}; do case "$_skip_early" in - 1) case "$_rc_elem" in + 1) + echo $_rc_elem >> rc.early2 + case "$_rc_elem" in */${early_late_divider}) _skip_early=0 ;; esac continue ;; esac - run_rc_script ${_rc_elem} ${_boot} + echo $_rc_elem >> rc.late + + #run_rc_script ${_rc_elem} ${_boot} done + +diff -u rc.early* echo '' date --------------050607040402050700090108-- From owner-freebsd-rc@FreeBSD.ORG Sun Mar 18 01:07:46 2007 Return-Path: X-Original-To: freebsd-rc@freebsd.org Delivered-To: freebsd-rc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DD10D16A400 for ; Sun, 18 Mar 2007 01:07:46 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.230]) by mx1.freebsd.org (Postfix) with ESMTP id 9B63413C458 for ; Sun, 18 Mar 2007 01:07:46 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by wr-out-0506.google.com with SMTP id 36so982958wra for ; Sat, 17 Mar 2007 18:07:46 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=jHDTobsw7KCjnUj2tHIPFBcvECWUSGa7/5+fzSGx9AKmGQBSDpTAdzoKPkSFKGjSfaZeuvK/rsFgub4OksclHQ/1cUaPE8/uBbHqAW13U/p/nI/wSW8UHTMu4KExlqGtiFTLGl5S2zAndrywpyWnR/xivzwjLEVGgyOXtmyG5oQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=ZApIbLyshT+Gc1azcPHBptwytD1sPDzIEF6fcBrH7NCh7F72Ecw7n7XGijA7T1Mu87PHTP2ztxYDnk4fvGmlDy9wg7ZfWLPlBjbJ3TqrvW4R4nUt3RtmjDrbhUvLCHgbXic0JDhvF/ziAcOoPTxxC0odKiNrYTL3ZLQkSRk0aNo= Received: by 10.65.137.5 with SMTP id p5mr4723729qbn.1174180065798; Sat, 17 Mar 2007 18:07:45 -0700 (PDT) Received: from ?10.0.1.8? ( [65.102.150.189]) by mx.google.com with ESMTP id 23sm5308672nzn.2007.03.17.18.07.43; Sat, 17 Mar 2007 18:07:44 -0700 (PDT) Message-ID: <45FC90CE.3020605@gmail.com> Date: Sat, 17 Mar 2007 18:07:26 -0700 From: Kian Mohageri User-Agent: Thunderbird 1.5.0.9 (X11/20070103) MIME-Version: 1.0 To: Doug Barton References: <200703171210.l2HCAD63046801@drugs.dv.isc.org> <45FC7EAE.803@FreeBSD.org> In-Reply-To: <45FC7EAE.803@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, Mark Andrews , freebsd-rc@freebsd.org Subject: Re: rc.order wrong (ipfw) X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Mar 2007 01:07:46 -0000 Doug Barton wrote: > > If it's reasonable to conclude that we want all the firewalls to start > before netif, I see two ways to accomplish that. One would be to have > netif REQUIRE ipfilter, pf, and ipfw. In some ways I think this is > cleaner, but netif already has a pretty long REQUIRE line. The other > way would be to add a new FIREWALLS placeholder for the REQUIREs I'm > suggesting above, and then have netif REQUIRE that. > > If on the other hand, there is some reason NOT to start all the > firewalls before netif, then things get more complicated. :) > > I definitely think that firewalls should be started as early as possible, for obvious reasons. I can't speak for ipfw, but removing the REQUIRE: netif for pf might break some setups where the ruleset references a cloned interface that netif creates. Correct me if I'm wrong? Loading a minimal ruleset initially (as OpenBSD and NetBSD do) would solve that problem, at least for pf. The idea has been discussed a few times before but I didn't see it go anywhere. http://lists.freebsd.org/pipermail/freebsd-pf/2007-February/003041.html I'd love to see the rcorder for the firewalls get worked out! :) Kian From owner-freebsd-rc@FreeBSD.ORG Mon Mar 19 00:13:59 2007 Return-Path: X-Original-To: freebsd-rc@freebsd.org Delivered-To: freebsd-rc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0F83D16A402 for ; Mon, 19 Mar 2007 00:13:59 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx24.fluidhosting.com [204.14.89.7]) by mx1.freebsd.org (Postfix) with SMTP id BC93113C44B for ; Mon, 19 Mar 2007 00:13:58 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 16264 invoked by uid 399); 19 Mar 2007 00:13:58 -0000 Received: from localhost (HELO ?192.168.0.4?) (dougb@dougbarton.us@127.0.0.1) by localhost with SMTP; 19 Mar 2007 00:13:58 -0000 X-Originating-IP: 127.0.0.1 Message-ID: <45FDD5C3.1070305@FreeBSD.org> Date: Sun, 18 Mar 2007 17:13:55 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0b2 (Windows/20070116) MIME-Version: 1.0 To: Kian Mohageri References: <200703171210.l2HCAD63046801@drugs.dv.isc.org> <45FC7EAE.803@FreeBSD.org> <45FC90CE.3020605@gmail.com> In-Reply-To: <45FC90CE.3020605@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, Mark Andrews , freebsd-rc@freebsd.org Subject: Re: rc.order wrong (ipfw) X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Mar 2007 00:13:59 -0000 Kian Mohageri wrote: > I can't speak for ipfw, but removing the > REQUIRE: netif for pf might break some setups where the ruleset > references a cloned interface that netif creates. Correct me if I'm wrong? > > Loading a minimal ruleset initially (as OpenBSD and NetBSD do) would > solve that problem, at least for pf. The idea has been discussed a few > times before but I didn't see it go anywhere. That's because no one who uses pf (and therefore cares sufficiently about the issue) has stepped up to do the work. Q.E.D. I don't know pf from a hole in the ground, and I'm not going to develop and commit a fundamentally different way of doing things for it that I can't test, and therefore will have no confidence that it's been done correctly. That said, if the issues of needing to resolve hostnames and set up rules for cloned interfaces are a universal problem (and it seems that they are) then perhaps rather than customizing a solution for pf it might be worthwhile to have a more generic "firewalls_late" script that performs the appropriate actions regardless of what firewalls are enabled. That way we could add just one rc.d script, and using the new functionality would be opt-in. Off the top of my head I envision something like: if [ checkyesno $firewall_enable -a -n "$firewall_rules_late" ]; then # do stuff specific to ipfw fi if [ checkyesno $ipfilter_enable -a -n "$ipfilter_rules_late" ]; then ... Comments? That's something that I would feel comfortable developing and committing, since it would be opt-in, and others more knowledgeable than I could jump in and run with it for a while before we considered MFC'ing it (if doing that would be appropriate at all, and I'm not sure that it would be). OTOH, perhaps if we just move everything (and therefore break things in the manner you described) it will motivate someone to do the work. :) Doug -- This .signature sanitized for your protection From owner-freebsd-rc@FreeBSD.ORG Mon Mar 19 02:17:08 2007 Return-Path: X-Original-To: freebsd-rc@freebsd.org Delivered-To: freebsd-rc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3A44716A403 for ; Mon, 19 Mar 2007 02:17:08 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.233]) by mx1.freebsd.org (Postfix) with ESMTP id C424413C4AD for ; Mon, 19 Mar 2007 02:17:07 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by wx-out-0506.google.com with SMTP id s18so1076101wxc for ; Sun, 18 Mar 2007 19:17:07 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=svjNtEdiOgDNyGEfO50+dcTNSX6OMlwwhD9LMzOXJ2OJrEoYebB5mRDmxD9Jz+va2ZBe7ykjCeyyTABgZXaBjMBozxSKEvAukaS1JvnFN5U5wv0n5R7WoUJuJmhHt5CtVLAXf06U+Is0PhRgL+vvPi4Q0ARbDJPa+XUwt3/X550= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=GAK4XKU6FquMYkZQYYhqG007oqBUKymnw4r0wQditRkWJhEP8hvlpcHYBw549jD9rZLIgpte0dzUGOIHjjRPIffLDi0SIG83/0T5mJyRwjbAft5Zz2WWgDtHu/7SCfa2v3Q0GWf/+yJ8N0exJMCWwXGJPUNabx5NUmRRQilIB5A= Received: by 10.70.66.18 with SMTP id o18mr7609735wxa.1174270627007; Sun, 18 Mar 2007 19:17:07 -0700 (PDT) Received: from ?10.1.1.53? ( [71.227.220.29]) by mx.google.com with ESMTP id h20sm8008088wxd.2007.03.18.19.17.04; Sun, 18 Mar 2007 19:17:05 -0700 (PDT) Message-ID: <45FDF284.3040008@gmail.com> Date: Sun, 18 Mar 2007 19:16:36 -0700 From: Kian Mohageri User-Agent: Thunderbird 1.5.0.9 (X11/20070103) MIME-Version: 1.0 To: Doug Barton References: <200703171210.l2HCAD63046801@drugs.dv.isc.org> <45FC7EAE.803@FreeBSD.org> <45FC90CE.3020605@gmail.com> <45FDD5C3.1070305@FreeBSD.org> In-Reply-To: <45FDD5C3.1070305@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, Mark Andrews , freebsd-rc@freebsd.org Subject: Re: rc.order wrong (ipfw) X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Mar 2007 02:17:08 -0000 Doug Barton wrote: > That said, if the issues of needing to resolve hostnames and set up > rules for cloned interfaces are a universal problem (and it seems that > they are) then perhaps rather than customizing a solution for pf it > might be worthwhile to have a more generic "firewalls_late" script that > performs the appropriate actions regardless of what firewalls are > enabled. That way we could add just one rc.d script, and using the new > functionality would be opt-in. Off the top of my head I envision > something like: > > if [ checkyesno $firewall_enable -a -n "$firewall_rules_late" ]; then > # do stuff specific to ipfw > fi > if [ checkyesno $ipfilter_enable -a -n "$ipfilter_rules_late" ]; then > ... I agree VERY MUCH with this sort of approach. It would be a much cleaner solution than completely separate handling of all of these different problems. I'm trying to get an idea of what all of the major problems with the current order are, and these are the ones I'm aware of: - ipfw blocks by default (names unresolvable, rtsol breaks) - ipf/pf pass by default (services are unprotected) I think a firewall_boot script (similar to what you've proposed) could potentially solve all of these problems. If the user chose to enable it, it would do something like this: - load modules for pf/ipfw/ipf (whichever are enabled in rc.conf) - load firewall-specific minimal rulesets for enabled firewall(s) It would start BEFORE routing/netif, protecting services, but it would allow things like rtsol and name resolution to work. To elaborate a bit on your ideas, firewall_boot might do something like this: ... if [ checkyesno $firewall_enable -a -f $firewall_boot_script ]; # load ipfw and minimal ruleset if [ checkyesno $pf_enable -a -f $pf_boot_rules ]; # pf and minimal ruleset if [ checkyesno $ipfilter_enable -a -f $ipfilter_boot_rules ]; # ipfilter and minimal ruleset ... The tiny default boot rulesets would be in /etc/defaults/ and of course the user could override the location if they wanted to use their own early ruleset. The actual firewall scripts could then come up after the network, so cloned interfaces have been created, names can be resolved, etc. and the real rulesets should load without any problems. Does that sound reasonable? -Kian From owner-freebsd-rc@FreeBSD.ORG Mon Mar 19 04:39:11 2007 Return-Path: X-Original-To: freebsd-rc@freebsd.org Delivered-To: freebsd-rc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F2C4916A4D4 for ; Mon, 19 Mar 2007 04:39:10 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx24.fluidhosting.com [204.14.89.7]) by mx1.freebsd.org (Postfix) with SMTP id A709C13C487 for ; Mon, 19 Mar 2007 04:39:10 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 30862 invoked by uid 399); 19 Mar 2007 04:39:05 -0000 Received: from localhost (HELO ?192.168.0.4?) (dougb@dougbarton.us@127.0.0.1) by localhost with SMTP; 19 Mar 2007 04:39:05 -0000 X-Originating-IP: 127.0.0.1 Message-ID: <45FE13E5.9060902@FreeBSD.org> Date: Sun, 18 Mar 2007 21:39:01 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0b2 (Windows/20070116) MIME-Version: 1.0 To: Kian Mohageri References: <200703171210.l2HCAD63046801@drugs.dv.isc.org> <45FC7EAE.803@FreeBSD.org> <45FC90CE.3020605@gmail.com> <45FDD5C3.1070305@FreeBSD.org> <45FDF284.3040008@gmail.com> In-Reply-To: <45FDF284.3040008@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, Mark Andrews , freebsd-rc@freebsd.org Subject: Re: rc.order wrong (ipfw) X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Mar 2007 04:39:11 -0000 Kian Mohageri wrote: > I agree VERY MUCH with this sort of approach. It would be a much > cleaner solution than completely separate handling of all of these > different problems. I'm trying to get an idea of what all of the major > problems with the current order are, and these are the ones I'm aware of: > > - ipfw blocks by default (names unresolvable, rtsol breaks) > - ipf/pf pass by default (services are unprotected) > > I think a firewall_boot script (similar to what you've proposed) could > potentially solve all of these problems. I'm glad that you like the idea in principal, however I'm sorry to say that I don't see eye to eye with your suggestion of modifying the early behavior instead of the late behavior. I believe (for whatever that's worth) that firewalls (and firewall rules) _should_ be loaded prior to the interfaces coming up. If someone wants to have dynamic rules, rules that rely on name resolution, or rules for non-physical (e.g., cloned) interfaces, that's fine, but IMO those are the exception, not the rule. Furthermore (and I'm betraying a prejudice here) I think that firewall rules that rely on name resolution are absolutely nuts, and I say that with many years of experience as a professional DNS and system administrator. Therefore I believe strongly that the default behavior should be changed to load all firewalls (and rules) before netif, and that those who want to do firewall-related things that require netif or routing to be up should be the ones who have to opt in to the new script. That said, I think you and I have expressed our opinions pretty clearly on these points, so I'd suggest that we let someone else have a turn. Doug -- This .signature sanitized for your protection From owner-freebsd-rc@FreeBSD.ORG Mon Mar 19 06:46:18 2007 Return-Path: X-Original-To: freebsd-rc@freebsd.org Delivered-To: freebsd-rc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4698F16A404 for ; Mon, 19 Mar 2007 06:46:18 +0000 (UTC) (envelope-from mmakonnen@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.172]) by mx1.freebsd.org (Postfix) with ESMTP id CE35113C4AE for ; Mon, 19 Mar 2007 06:46:17 +0000 (UTC) (envelope-from mmakonnen@gmail.com) Received: by ug-out-1314.google.com with SMTP id 71so1210494ugh for ; Sun, 18 Mar 2007 23:46:16 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=aE1CQHrRQhaalMYpJLGf+qxeCug3QNsAP47OYghl30jzt9ssrsXjYJhOUP7LPelyNdG1aJRCcAmZaj90TzoAUaw5dS4G5/+GUn/FgNWLaFmgLGIjnSM0+ql7xQ/eRYC+rYVW+UOiOdsHiVItEuEv20avrA3f5VMm0HzcaUOXaPY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=pE2DpvW82QrADYJVxcFPmjMYbUnckL3f8ED100199D90ocfvarbgEZ+0t3HGRise2OMFraMrMnHAjnwPAVuRUcqphFG+NvIDIvJlDY4WtP2qiy2Uxv+7/kCltH6K8+lQyzhmaO+ftTnhqgIx8p+8bmAAsrX74PO3M0FFYoe3Zq8= Received: by 10.65.151.6 with SMTP id d6mr6999503qbo.1174285116779; Sun, 18 Mar 2007 23:18:36 -0700 (PDT) Received: by 10.114.106.15 with HTTP; Sun, 18 Mar 2007 23:18:36 -0700 (PDT) Message-ID: <584bfc3f0703182318v31f8f5d0lee04af618809b3ef@mail.gmail.com> Date: Mon, 19 Mar 2007 09:18:36 +0300 From: "Mike Telahun Makonnen" To: "Doug Barton" In-Reply-To: <45FE13E5.9060902@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200703171210.l2HCAD63046801@drugs.dv.isc.org> <45FC7EAE.803@FreeBSD.org> <45FC90CE.3020605@gmail.com> <45FDD5C3.1070305@FreeBSD.org> <45FDF284.3040008@gmail.com> <45FE13E5.9060902@FreeBSD.org> Cc: freebsd-net@freebsd.org, freebsd-rc@freebsd.org Subject: Re: rc.order wrong (ipfw) X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Mar 2007 06:46:18 -0000 Hi guys, Long time no see :P I don't have anything to say directly about this issue (other than that I'm leaning towards Doug's reasoning on this) but I'm working on a patch to integrate IPv6 handling into rc.d/netif, which might indirectly have a bearing on this discussion. I'm currently testing the patch. I'll post it to the list as soon as I'm fairly certain it doesn't break anything too much. In my patch, IPv6 is configured in rc.d/netif right after IPv4. In general terms it goes something like this: o General net configuration (cloning, renaming, etc) o General pre-IPv6 configuration o Get list of all interfaces o For each interface: - Configure IPv4 - Configure IPv6 - Static configuration - rtsol - aliases o General post-IPv6 configuration I think that up until now the separation of general interface configuration and IPv6 configuration has complicated the ordering of routing and firewall scripts. Hopefully, the patch will remove some of those complications. I'll get back to you with the patch in the next couple of days. Cheers, Mike. On 3/19/07, Doug Barton wrote: > Kian Mohageri wrote: > > > I agree VERY MUCH with this sort of approach. It would be a much > > cleaner solution than completely separate handling of all of these > > different problems. I'm trying to get an idea of what all of the major > > problems with the current order are, and these are the ones I'm aware of: > > > > - ipfw blocks by default (names unresolvable, rtsol breaks) > > - ipf/pf pass by default (services are unprotected) > > > > I think a firewall_boot script (similar to what you've proposed) could > > potentially solve all of these problems. > > I'm glad that you like the idea in principal, however I'm sorry to say > that I don't see eye to eye with your suggestion of modifying the > early behavior instead of the late behavior. > > I believe (for whatever that's worth) that firewalls (and firewall > rules) _should_ be loaded prior to the interfaces coming up. If > someone wants to have dynamic rules, rules that rely on name > resolution, or rules for non-physical (e.g., cloned) interfaces, > that's fine, but IMO those are the exception, not the rule. > Furthermore (and I'm betraying a prejudice here) I think that firewall > rules that rely on name resolution are absolutely nuts, and I say that > with many years of experience as a professional DNS and system > administrator. > > Therefore I believe strongly that the default behavior should be > changed to load all firewalls (and rules) before netif, and that those > who want to do firewall-related things that require netif or routing > to be up should be the ones who have to opt in to the new script. That > said, I think you and I have expressed our opinions pretty clearly on > these points, so I'd suggest that we let someone else have a turn. > > Doug > > -- > > This .signature sanitized for your protection > _______________________________________________ > freebsd-rc@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-rc > To unsubscribe, send any mail to "freebsd-rc-unsubscribe@freebsd.org" > From owner-freebsd-rc@FreeBSD.ORG Mon Mar 19 07:20:21 2007 Return-Path: X-Original-To: freebsd-rc@freebsd.org Delivered-To: freebsd-rc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D413016A403 for ; Mon, 19 Mar 2007 07:20:21 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.232]) by mx1.freebsd.org (Postfix) with ESMTP id 6C32413C4C9 for ; Mon, 19 Mar 2007 07:20:21 +0000 (UTC) (envelope-from kian.mohageri@gmail.com) Received: by wx-out-0506.google.com with SMTP id s18so1120238wxc for ; Mon, 19 Mar 2007 00:20:20 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=qabMT7H9+zRsAaCoAJJ4IcBjVHX87lXaP09r0Z21A45+7fchFfn5eyBPPOf4Mew6oZpXVI4R96Kukjbd2wJoX2nXpJlESCmy6y4fhiEg/cyPuGdXEQBLQ0Hg88Be3iu/WddKVI3J5JvSXGYe1f+yXZBleCInvWLfMG8YKuNSKkc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=XP4vEPkxk/51fD4U1oc0NObok3qd4mwvi12sG8Kcb7LnHv1F00aj7dsnEW1k6ds2tw+akon9qk6PqCCkmfPlxU586kWBw+HLkIlApZmB8TvZUNW3X8USEJE8nHeoAvaGWjeHPBgEnMEBG40o/EeXoPhA4MiMTfMe4qZprN6ZSTE= Received: by 10.70.69.2 with SMTP id r2mr7948107wxa.1174288820856; Mon, 19 Mar 2007 00:20:20 -0700 (PDT) Received: from ?10.1.1.53? ( [71.227.220.29]) by mx.google.com with ESMTP id h17sm8380779wxd.2007.03.19.00.20.19; Mon, 19 Mar 2007 00:20:19 -0700 (PDT) Message-ID: <45FE39AE.4070407@gmail.com> Date: Mon, 19 Mar 2007 00:20:14 -0700 From: Kian Mohageri User-Agent: Thunderbird 1.5.0.9 (X11/20070103) MIME-Version: 1.0 To: Doug Barton References: <200703171210.l2HCAD63046801@drugs.dv.isc.org> <45FC7EAE.803@FreeBSD.org> <45FC90CE.3020605@gmail.com> <45FDD5C3.1070305@FreeBSD.org> <45FDF284.3040008@gmail.com> <45FE13E5.9060902@FreeBSD.org> In-Reply-To: <45FE13E5.9060902@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, Mark Andrews , freebsd-rc@freebsd.org Subject: Re: rc.order wrong (ipfw) X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Mar 2007 07:20:21 -0000 Doug Barton wrote: > I believe (for whatever that's worth) that firewalls (and firewall > rules) _should_ be loaded prior to the interfaces coming up. If someone > wants to have dynamic rules, rules that rely on name resolution, or > rules for non-physical (e.g., cloned) interfaces, that's fine, but IMO > those are the exception, not the rule. Furthermore (and I'm betraying a > prejudice here) I think that firewall rules that rely on name resolution > are absolutely nuts, and I say that with many years of experience as a > professional DNS and system administrator. > Agreed. FQDNs in a ruleset is a pretty stupid idea. I guess I also agree with the reasoning that changing the common case as little as possible is good. > Therefore I believe strongly that the default behavior should be changed > to load all firewalls (and rules) before netif, and that those who want > to do firewall-related things that require netif or routing to be up > should be the ones who have to opt in to the new script. That said, I > think you and I have expressed our opinions pretty clearly on these > points, so I'd suggest that we let someone else have a turn. After re-reading your original idea, I think I understand a little better what you mean to do. For clarification, are you proposing that the [early] firewall scripts do nothing if firewall_late_enable=YES, and then have all firewalling taken care of later in the boot process (i.e. post-networking) by firewall_late? I think I might have misunderstood your original proposal:) -Kian From owner-freebsd-rc@FreeBSD.ORG Mon Mar 19 08:45:19 2007 Return-Path: X-Original-To: freebsd-rc@FreeBSD.org Delivered-To: freebsd-rc@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id F293216A401; Mon, 19 Mar 2007 08:45:18 +0000 (UTC) (envelope-from Mark_Andrews@isc.org) Received: from mx.isc.org (mx.isc.org [204.152.184.167]) by mx1.freebsd.org (Postfix) with ESMTP id D7D1513C457; Mon, 19 Mar 2007 08:45:18 +0000 (UTC) (envelope-from Mark_Andrews@isc.org) Received: from farside.isc.org (farside.isc.org [IPv6:2001:4f8:3:bb::5]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "farside.isc.org", Issuer "ISC CA" (verified OK)) by mx.isc.org (Postfix) with ESMTP id B86AF11401C; Mon, 19 Mar 2007 07:55:54 +0000 (UTC) (envelope-from Mark_Andrews@isc.org) Received: from drugs.dv.isc.org (localhost.isc.org [IPv6:::1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "drugs.dv.isc.org", Issuer "ISC CA" (verified OK)) by farside.isc.org (Postfix) with ESMTP id 2293FE60D9; Mon, 19 Mar 2007 07:55:53 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.13.8/8.13.8) with ESMTP id l2J7tnIB001548; Mon, 19 Mar 2007 18:55:50 +1100 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200703190755.l2J7tnIB001548@drugs.dv.isc.org> To: Doug Barton From: Mark Andrews In-reply-to: Your message of "Sun, 18 Mar 2007 21:39:01 PDT." <45FE13E5.9060902@FreeBSD.org> Date: Mon, 19 Mar 2007 18:55:49 +1100 Sender: Mark_Andrews@isc.org Cc: freebsd-net@FreeBSD.org, freebsd-rc@FreeBSD.org Subject: Re: rc.order wrong (ipfw) X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Mar 2007 08:45:19 -0000 > Therefore I believe strongly that the default behavior should be > changed to load all firewalls (and rules) before netif, and that those > who want to do firewall-related things that require netif or routing > to be up should be the ones who have to opt in to the new script. That > said, I think you and I have expressed our opinions pretty clearly on > these points, so I'd suggest that we let someone else have a turn. > > Doug I concur with Doug. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org From owner-freebsd-rc@FreeBSD.ORG Mon Mar 19 11:08:38 2007 Return-Path: X-Original-To: freebsd-rc@FreeBSD.org Delivered-To: freebsd-rc@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2A7FF16A404 for ; Mon, 19 Mar 2007 11:08:38 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 110A413C459 for ; Mon, 19 Mar 2007 11:08:38 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l2JB8bZc055557 for ; Mon, 19 Mar 2007 11:08:37 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l2JB8aHc055553 for freebsd-rc@FreeBSD.org; Mon, 19 Mar 2007 11:08:36 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 19 Mar 2007 11:08:36 GMT Message-Id: <200703191108.l2JB8aHc055553@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: linimon set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-rc@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Mar 2007 11:08:38 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o conf/48881 rc [PATCH] The influence of /etc/start_ifname on /etc/rc. o conf/98758 rc [patch] Templatize 'jail_fstab' in /etc/rc.d/jail o conf/98846 rc [patch] Templatize 'jail_rootdir' in /etc/rc.d/jail o bin/104623 rc "rc.d/ppp restart" stops all instances of ppp o conf/105689 rc syslogd starts too late at boot o conf/107155 rc /etc/rc.d/ppp-user does not bring up pppoe at boot o conf/107316 rc [rc.d]: [base] [rpc.lockd] nfslocking restart does not o conf/107364 rc pf fails to start on bootup after system update from F o conf/108226 rc second copy of ppp started at boot time 9 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o conf/45226 rc Fix for rc.network, ppp-user annoyance o conf/48870 rc [PATCH] rc.network: allow to cancel interface status d o conf/55916 rc [PATCH] ppp-user options o conf/58939 rc [patch] dumb little hack for /etc/rc.firewall{,6} o conf/73677 rc [patch] add support for powernow states to power_profi o conf/74817 rc [patch] network.subr: fixed automatic configuration of o conf/77663 rc Suggestion: add /etc/rc.d/addnetswap after addcritremo o conf/78906 rc [patch] Allow mixer_enable="NO" in rc.conf o conf/79196 rc [PATCH] configurable dummynet loading from /etc/rc.co o kern/81006 rc ipnat not working with tunnel interfaces on startup o conf/85363 rc syntax error in /etc/rc.d/devfs o conf/85819 rc [patch] script allowing multiuser mode in spite of fsc o conf/88913 rc [patch] wrapper support for rc.subr o conf/89061 rc [patch] IPv6 6to4 auto-configuration enhancement o conf/89870 rc [patch] feature request to make netif verbose rc.conf o conf/92523 rc [patch] allow rc scripts to kill process after a timeo o conf/93815 rc [patch] Adds in the ability to save ipfw rules to rc.d o conf/95162 rc [patch] Missing feature in rc.subr o conf/96343 rc [patch] rc.d order change to start inet6 before pf o conf/99444 rc [patch] Enhancement: rc.subr could easily support star o conf/99595 rc [PATCH] /etc/rc.d/dhclient doesn't interact well with o conf/99721 rc [patch] /etc/rc.initdiskless problem copy dotfile in s o conf/102700 rc [PATCH] Add encrypted /tmp support to GELI/GBDE rc.d s o conf/102722 rc kerberos5 server startupscript should use --detach o conf/102913 rc /etc/rc.d/named killall in jailed OS o conf/103486 rc [rc.d][patch][chroot named] rc.d/jail: mount fstab aft o conf/103489 rc [rc.d] [patch] named_chroot_autoupdate doesn't work in o conf/103976 rc rc.d/named restart failure o conf/104408 rc command not set in rc.d/isdnd, can't stop isdnd with t o conf/104549 rc [patch] rc.d/nfsd needs special _find_processes functi o conf/105145 rc [PATCH] add redial function to rc.d/ppp o conf/105568 rc [patch] Add more flexibility to rc.conf, to choose "_e o conf/106009 rc [patch] Fix pppoed startup script to process multiply o conf/106873 rc [patch] rc.d/nfslocking does not properly restart 34 problems total. From owner-freebsd-rc@FreeBSD.ORG Mon Mar 19 17:03:50 2007 Return-Path: X-Original-To: freebsd-rc@freebsd.org Delivered-To: freebsd-rc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4FE0016A406 for ; Mon, 19 Mar 2007 17:03:50 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx24.fluidhosting.com [204.14.89.7]) by mx1.freebsd.org (Postfix) with SMTP id E4CBC13C4D0 for ; Mon, 19 Mar 2007 17:03:49 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 30780 invoked by uid 399); 19 Mar 2007 17:03:44 -0000 Received: from localhost (HELO lap.dougb.net) (dougb@dougbarton.us@127.0.0.1) by localhost with SMTP; 19 Mar 2007 17:03:44 -0000 X-Originating-IP: 127.0.0.1 Message-ID: <45FEC26E.40504@FreeBSD.org> Date: Mon, 19 Mar 2007 10:03:42 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0b2 (X11/20070116) MIME-Version: 1.0 To: Kian Mohageri References: <200703171210.l2HCAD63046801@drugs.dv.isc.org> <45FC7EAE.803@FreeBSD.org> <45FC90CE.3020605@gmail.com> <45FDD5C3.1070305@FreeBSD.org> <45FDF284.3040008@gmail.com> <45FE13E5.9060902@FreeBSD.org> <45FE39AE.4070407@gmail.com> In-Reply-To: <45FE39AE.4070407@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, Mark Andrews , freebsd-rc@freebsd.org Subject: Re: rc.order wrong (ipfw) X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Mar 2007 17:03:50 -0000 Kian Mohageri wrote: > After re-reading your original idea, I think I understand a little > better what you mean to do. For clarification, are you proposing that > the [early] firewall scripts do nothing if firewall_late_enable=YES, and > then have all firewalling taken care of later in the boot process (i.e. > post-networking) by firewall_late? > > I think I might have misunderstood your original proposal:) I think so too. :) To be clear, what I'm suggesting is that we move ipfw and pf to a spot in the rcorder that is ahead of netif, along with ipfilter which is already there. I am not suggesting that we change their functionality, just the ordering. As a completely separate thing (although they could be done at the same time) I am suggesting _adding_ a new script for "late" firewall rules (where "late" is defined as after netif) so that people who want to do firewall-related things that require netif (like cloned interfaces, FQDN rules, etc.) will have a standard way to accomplish that. Thanks for the opportunity to clarify, Doug -- This .signature sanitized for your protection From owner-freebsd-rc@FreeBSD.ORG Mon Mar 19 17:11:00 2007 Return-Path: X-Original-To: freebsd-rc@freebsd.org Delivered-To: freebsd-rc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 64FC616A406 for ; Mon, 19 Mar 2007 17:11:00 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx24.fluidhosting.com [204.14.89.7]) by mx1.freebsd.org (Postfix) with SMTP id 0585713C46C for ; Mon, 19 Mar 2007 17:10:59 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: (qmail 8117 invoked by uid 399); 19 Mar 2007 17:10:59 -0000 Received: from localhost (HELO lap.dougb.net) (dougb@dougbarton.us@127.0.0.1) by localhost with SMTP; 19 Mar 2007 17:10:59 -0000 X-Originating-IP: 127.0.0.1 Message-ID: <45FEC421.9000802@FreeBSD.org> Date: Mon, 19 Mar 2007 10:10:57 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 2.0b2 (X11/20070116) MIME-Version: 1.0 To: Mike Telahun Makonnen References: <200703171210.l2HCAD63046801@drugs.dv.isc.org> <45FC7EAE.803@FreeBSD.org> <45FC90CE.3020605@gmail.com> <45FDD5C3.1070305@FreeBSD.org> <45FDF284.3040008@gmail.com> <45FE13E5.9060902@FreeBSD.org> <584bfc3f0703182318v31f8f5d0lee04af618809b3ef@mail.gmail.com> In-Reply-To: <584bfc3f0703182318v31f8f5d0lee04af618809b3ef@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-rc@freebsd.org Subject: Re: rc.order wrong (ipfw) X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Mar 2007 17:11:00 -0000 Mike Telahun Makonnen wrote: > Hi guys, > > Long time no see :P He's alive! Glad to hear from you Mike, and glad that you didn't fall completely off the face of the earth. :) Doug -- This .signature sanitized for your protection From owner-freebsd-rc@FreeBSD.ORG Mon Mar 19 20:34:46 2007 Return-Path: X-Original-To: freebsd-rc@freebsd.org Delivered-To: freebsd-rc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1551F16A406 for ; Mon, 19 Mar 2007 20:34:46 +0000 (UTC) (envelope-from dgilbert@daveg.ca) Received: from ox.eicat.ca (ox.eicat.ca [66.96.30.35]) by mx1.freebsd.org (Postfix) with ESMTP id DCDF413C469 for ; Mon, 19 Mar 2007 20:34:45 +0000 (UTC) (envelope-from dgilbert@daveg.ca) Received: by ox.eicat.ca (Postfix, from userid 66) id D2981DA82; Mon, 19 Mar 2007 16:12:46 -0400 (EDT) Received: by canoe.dclg.ca (Postfix, from userid 101) id 635A161C8A; Mon, 19 Mar 2007 15:12:52 -0500 (EST) From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <17918.61124.353668.804988@canoe.dclg.ca> Date: Mon, 19 Mar 2007 15:12:52 -0500 To: Doug Barton In-Reply-To: <45FE13E5.9060902@FreeBSD.org> References: <200703171210.l2HCAD63046801@drugs.dv.isc.org> <45FC7EAE.803@FreeBSD.org> <45FC90CE.3020605@gmail.com> <45FDD5C3.1070305@FreeBSD.org> <45FDF284.3040008@gmail.com> <45FE13E5.9060902@FreeBSD.org> X-Mailer: VM 7.17 under 21.4 (patch 20) "Double Solitaire" XEmacs Lucid Cc: freebsd-net@freebsd.org, Mark Andrews , freebsd-rc@freebsd.org Subject: Re: rc.order wrong (ipfw) X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Mar 2007 20:34:46 -0000 >>>>> "Doug" == Doug Barton writes: Doug> Kian Mohageri wrote: >> I agree VERY MUCH with this sort of approach. It would be a much >> cleaner solution than completely separate handling of all of these >> different problems. I'm trying to get an idea of what all of the >> major problems with the current order are, and these are the ones >> I'm aware of: >> >> - ipfw blocks by default (names unresolvable, rtsol breaks) - >> ipf/pf pass by default (services are unprotected) >> >> I think a firewall_boot script (similar to what you've proposed) >> could potentially solve all of these problems. Doug> exception, not the rule. Furthermore (and I'm betraying a Doug> prejudice here) I think that firewall rules that rely on name Doug> resolution are absolutely nuts, and I say that with many years Doug> of experience as a professional DNS and system administrator. I think you're misreading the above. The poster is saying that because ipfw's default behaviour is block, loading it at the wrong time can break other startup items because they require name resolution or the sending of packets (rtsol). Dave. -- ============================================================================ |David Gilbert, Independent Contractor. | Two things can be | |Mail: dave@daveg.ca | equal if and only if they | |http://daveg.ca | are precisely opposite. | =========================================================GLO================ From owner-freebsd-rc@FreeBSD.ORG Tue Mar 20 15:27:02 2007 Return-Path: X-Original-To: freebsd-rc@freebsd.org Delivered-To: freebsd-rc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0307D16A400 for ; Tue, 20 Mar 2007 15:27:02 +0000 (UTC) (envelope-from sergey@gracer.toor.org.ru) Received: from gracer.toor.org.ru (gracer.toor.org.ru [82.179.163.164]) by mx1.freebsd.org (Postfix) with ESMTP id BC59C13C44B for ; Tue, 20 Mar 2007 15:27:01 +0000 (UTC) (envelope-from sergey@gracer.toor.org.ru) Received: by gracer.toor.org.ru (Postfix, from userid 1000) id A9CF756; Tue, 20 Mar 2007 18:10:33 +0300 (MSK) From: "Sergey Baturov" To: freebsd-rc@freebsd.org Date: Tue, 20 Mar 2007 18:10:33 +0300 Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8"; format=flowed Content-Transfer-Encoding: 7bit Message-Id: <20070320151033.A9CF756@gracer.toor.org.ru> Subject: mountcritlocal and mountlate issue X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Mar 2007 15:27:02 -0000 Hi, all! I've found a small non-critical issue in /etc/rc.d/mountcritlocal and /etc/rc.d/mountlate scripts. The issue is the same: mount -a ... echo '.' case $? in 0) ;; *) ... There is no situation when 'case' would have a value other then '0' because 'echo' executed just before the 'case' and the last command exit status will almost always be zero. And the user will never see error message in '*' case. Is this correct? P.S. Please 'CC' me, I'm not a list member. BR, Sergey Baturov From owner-freebsd-rc@FreeBSD.ORG Tue Mar 20 15:45:36 2007 Return-Path: X-Original-To: freebsd-rc@freebsd.org Delivered-To: freebsd-rc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 12D1B16A400 for ; Tue, 20 Mar 2007 15:45:36 +0000 (UTC) (envelope-from brooks@lor.one-eyed-alien.net) Received: from lor.one-eyed-alien.net (grnl-static-02-0046.dsl.iowatelecom.net [69.66.56.110]) by mx1.freebsd.org (Postfix) with ESMTP id BFBD913C4B9 for ; Tue, 20 Mar 2007 15:45:35 +0000 (UTC) (envelope-from brooks@lor.one-eyed-alien.net) Received: from lor.one-eyed-alien.net (localhost [127.0.0.1]) by lor.one-eyed-alien.net (8.13.8/8.13.8) with ESMTP id l2KFjYHo035786; Tue, 20 Mar 2007 10:45:34 -0500 (CDT) (envelope-from brooks@lor.one-eyed-alien.net) Received: (from brooks@localhost) by lor.one-eyed-alien.net (8.13.8/8.13.8/Submit) id l2KFjXMB035785; Tue, 20 Mar 2007 10:45:33 -0500 (CDT) (envelope-from brooks) Date: Tue, 20 Mar 2007 10:45:33 -0500 From: Brooks Davis To: Sergey Baturov Message-ID: <20070320154533.GA34961@lor.one-eyed-alien.net> References: <20070320151033.A9CF756@gracer.toor.org.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="qMm9M+Fa2AknHoGS" Content-Disposition: inline In-Reply-To: <20070320151033.A9CF756@gracer.toor.org.ru> User-Agent: Mutt/1.5.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (lor.one-eyed-alien.net [127.0.0.1]); Tue, 20 Mar 2007 10:45:34 -0500 (CDT) Cc: freebsd-rc@freebsd.org Subject: Re: mountcritlocal and mountlate issue X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Mar 2007 15:45:36 -0000 --qMm9M+Fa2AknHoGS Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Mar 20, 2007 at 06:10:33PM +0300, Sergey Baturov wrote: > Hi, all!=20 >=20 > I've found a small non-critical issue in /etc/rc.d/mountcritlocal > and /etc/rc.d/mountlate scripts. The issue is the same:=20 >=20 > mount -a ... > echo '.'=20 >=20 > case $? in > 0) > ;; > *) > ...=20 >=20 > There is no situation when 'case' would have a value other then '0' > because 'echo' executed just before the 'case' and the last command > exit status will almost always be zero. And the user will never see > error message in '*' case.=20 >=20 > Is this correct?=20 Yes, this is a common mistake. I think the easiest solution is probablly to save $? after the mount call and refer to the saved value. That and replacing the case with an if statement since test will do the job just fine. -- Brooks --qMm9M+Fa2AknHoGS Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFGAAGdXY6L6fI4GtQRAumhAJ9FjXiPmxqJpbn3YsiTwMI8M+08tgCgspm3 p19xfdNrZYgKib8iXZYZacA= =lX/L -----END PGP SIGNATURE----- --qMm9M+Fa2AknHoGS-- From owner-freebsd-rc@FreeBSD.ORG Tue Mar 20 19:20:21 2007 Return-Path: X-Original-To: freebsd-rc@freebsd.org Delivered-To: freebsd-rc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1F05016A403; Tue, 20 Mar 2007 19:20:21 +0000 (UTC) (envelope-from sergey@toor.org.ru) Received: from gracer.toor.org.ru (gracer.toor.org.ru [82.179.163.164]) by mx1.freebsd.org (Postfix) with ESMTP id CF85F13C458; Tue, 20 Mar 2007 19:20:20 +0000 (UTC) (envelope-from sergey@toor.org.ru) Received: from localhost (localhost [127.0.0.1]) by gracer.toor.org.ru (Postfix) with ESMTP id 377502D; Tue, 20 Mar 2007 21:50:24 +0300 (MSK) From: Sergey Baturov To: Brooks Davis Date: Tue, 20 Mar 2007 21:50:16 +0300 User-Agent: KMail/1.9.5 References: <20070320151033.A9CF756@gracer.toor.org.ru> <20070320154533.GA34961@lor.one-eyed-alien.net> In-Reply-To: <20070320154533.GA34961@lor.one-eyed-alien.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2754123.tiNoKamPXr"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200703202150.23347.sergey@toor.org.ru> Cc: freebsd-rc@freebsd.org Subject: Re: mountcritlocal and mountlate issue X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Sergey Baturov List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Mar 2007 19:20:21 -0000 --nextPart2754123.tiNoKamPXr Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Tue March 20 2007 18:45, Brooks Davis wrote: > On Tue, Mar 20, 2007 at 06:10:33PM +0300, Sergey Baturov wrote: > > Hi, all! > > > > I've found a small non-critical issue in /etc/rc.d/mountcritlocal > > and /etc/rc.d/mountlate scripts. The issue is the same: > > > > mount -a ... > > echo '.' > > > > case $? in > > 0) > > ;; > > *) > > ... > > > > There is no situation when 'case' would have a value other then '0' > > because 'echo' executed just before the 'case' and the last command > > exit status will almost always be zero. And the user will never see > > error message in '*' case. > > > > Is this correct? > > Yes, this is a common mistake. I think the easiest solution is > probablly to save $? after the mount call and refer to the saved value. > That and replacing the case with an if statement since test will do the > job just fine. > > -- Brooks Will this mistake be fixed in -current and/or -stable? I guess it is useful= to=20 show error message to the user. :-) =2D- Sergey Baturov --nextPart2754123.tiNoKamPXr Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBGACzvibUEe+eSHQgRAlGxAJ9JxdLsf6wltUZOieVUf8AV3DCCcwCgiebt 8NqimExLOqb7kIP6bMAMnNA= =0S6Q -----END PGP SIGNATURE----- --nextPart2754123.tiNoKamPXr-- From owner-freebsd-rc@FreeBSD.ORG Fri Mar 23 10:19:58 2007 Return-Path: X-Original-To: freebsd-rc@freebsd.org Delivered-To: freebsd-rc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B605416A47F for ; Fri, 23 Mar 2007 10:19:58 +0000 (UTC) (envelope-from mtm@FreeBSD.Org) Received: from mx1.ethionet.et (mx1.ethionet.et [213.55.64.53]) by mx1.freebsd.org (Postfix) with ESMTP id 6163113C4BD for ; Fri, 23 Mar 2007 10:19:58 +0000 (UTC) (envelope-from mtm@FreeBSD.Org) Received: from mx1.ethionet.et (localhost [127.0.0.1]) by localhost.ethionet.et (Postfix) with ESMTP id 4F84B4FFD; Fri, 23 Mar 2007 12:48:34 +0300 (EAT) Received: from rogue.navcom.lan (unknown [213.55.64.98])by mx1.ethionet.et ( Postfix) with SMTP id 1092D501E;Fri, 23 Mar 2007 12:48:33 +0300 (EAT) Received: by rogue.navcom.lan (Postfix, from userid 1001)id 933C71701D; Fri, 23 Mar 2007 12:52:06 +0300 (EAT) Date: Fri, 23 Mar 2007 12:52:06 +0300 From: Mike Makonnen To: Alexander Shikoff Message-ID: <20070323095206.GA2749@rogue.navcom.lan> References: <20070227133824.GA49950@crete.org.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20070227133824.GA49950@crete.org.ua> User-Agent: Mutt/1.4.2.2i X-Operating-System: FreeBSD/6.2-RELEASE (i386) X-imss-version: 2.46 X-imss-result: Passed X-imss-scores: Clean:99.90000 C:2 M:3 S:5 R:5 X-imss-settings: Baseline:4 C:3 M:3 S:4 R:3 (1.0000 1.0000) Cc: freebsd-rc@freebsd.org Subject: Re: rc.subr in 6.2 RELEASE X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Mar 2007 10:19:58 -0000 On Tue, Feb 27, 2007 at 03:38:24PM +0200, Alexander Shikoff wrote: > Hello, > > I guess my issue is more related to this mailing list rather than to > SpamAssassin one. > > I use SpamAssassin built from ports tree on 6.2-RELEASE box. > When debug is enabled via adding --debug flag to spamd_flags in rc.conf > then rcNG script does not stop process: > > # /usr/local/etc/rc.d/sa-spamd stop > spamd not running? (check /var/run/spamd/spamd.pid). > > But: > # cat /var/run/spamd/spamd.pid > 98080 > # ps axww|grep spamd > 98080 ?? Ss 0:02,24 /usr/local/bin/perl5.8.8 -T -w /usr/local/bin/spamd --siteconfigpath=/usr/local/etc/mail/spamassassin -x -d -l --max-conn-per-child=128 --timeout-tcp=10 --timeout-child=300 --pidfile=/var/run/spamd/spamd.pid --syslog=local0 --username=spamd --groupname=spamd --allowed-ips=127.0.0.0/8 --listen-ip=127.0.0.1 --debug=received-header,bayes -d -r /var/run/spamd/spamd.pid > > If --debug flag is disabled then output of ps axww turned into: > # ps axww|grep spamd > 8483 ?? Ss 0:00,50 /usr/local/bin/spamd --siteconfigpath=/usr/local/etc/mail/spamassassin -x -d -l --max-conn-per-child=128 --timeout-tcp=10 --timeout-child=300 --pidfile=/var/run/spamd/spamd.pid --syslog=local0 --username=spamd --groupname=spamd --allowed-ips=127.0.0.0/8 --listen-ip=127.0.0.1 -d -r /var/run/spamd/spamd.pid (perl5.8.8) > > and rcNG script works perfectly. > > My question: is there a way to make rcNG script work in first case? > Thanks. I don't know if you solved the problem already, but here's why it doesn't work when the debug flag is enabled: Note the output of ps(1) in both cases: without debug flag: /usr/local/bin/spamd ... with debug flag : /usr/local/bin/perl5.8.8 -T -w /usr/local/bin/spamd .. When debugging is enabled spamd is run as an interpreted program, which means that _find_processes() in rc.subr(8) will not find it because it is NOT looking for an interpreted program. I would suggest enabling debuging with an rc.conf knob and then doing something like the following in the rc script: if checkyesno spamd_debug_enable; then command_interpreter=/usr/local/bin/perl spamd_flags="${spamd_flags} --debug" fi Cheers. -- Mike Makonnen | GPG-KEY: http://people.freebsd.org/~mtm/mtm.asc mmakonnen@gmail.com | AC7B 5672 2D11 F4D0 EBF8 5279 5359 2B82 7CD4 1F55 mtm@FreeBSD.Org | FreeBSD - Unleash the Daemon !