Date: Sun, 1 Apr 2001 17:12:12 -0400 (EDT) From: thomas+freebsd@stromberg.org To: FreeBSD-gnats-submit@freebsd.org Subject: conf/26275: IPFilter doesn't load module if ipfilter_enable is in rc.conf Message-ID: <20010401211212.208831936E@zhukov.chaotical.ly>
next in thread | raw e-mail | index | archive | help
>Number: 26275
>Category: conf
>Synopsis: ipfilter_enable in rc.conf does not load kld
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Apr 01 14:20:01 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator: Thomas Stromberg
>Release: FreeBSD 5.0-CURRENT i386
>Organization:
Research Triangle Commerce, Inc. (ICC.net)
>Environment:
System: FreeBSD zhukov.chaotical.ly 5.0-CURRENT FreeBSD 5.0-CURRENT #3: Mon Mar 26 17:13:07 EST 2001 helix@zhukov.chaotical.ly:/usr/obj/usr/src/sys/GEORGI i386
FreeBSD grouper.aquarium.rtci.com 4.3-BETA FreeBSD 4.3-BETA #1: Thu Mar 15 18:09:40 EST 2001 tstromberg@grouper.aquarium.rtci.com:/usr/obj/usr/src/sys/GROUPER i386
FreeBSD localhost 4.3-RC FreeBSD 4.3-RC #0: Thu Mar 29 22:51:39 CEST 2001 root@localhost:/usr/obj/usr/src/sys/GENERIC i386
FreeBSD crackwhore.slush.ca 4.3-RC FreeBSD 4.3-RC #0: Sun Apr 1 14:34:52 MDT 2001 root@moo.powersurfr.com:/usr/src/sys/compile/booger2 i386
>Description:
ipfilter_enable and ipnat_enable in rc.conf is next to useless, because:
1) ipfilter_enable will only work if it's built into the kernel. Unlike
ipfw, it will not test to see if it's loaded, and load it's kernel module. This
definitely breaks 'principle of least suprise'.
2) ipnat_enable will only work if /etc/ipf.rules exists. This assumption
does not work very well for people who are just setting up a basic NAT, and
don't need to (yet) set up any firewalling.
This is definitely a big support problem on the IRC channels. The patch
included fixes both of these problems. I'd love to see this committed for
4.3-RELEASE, to save on all the confusion we have in #FreeBSDhelp.
>How-To-Repeat:
set ipfilter_enable="YES" in /etc/rc.conf. Reboot. Run kldstat, you
will see that the ipl module is not loaded. Even if you do have it in your
kernel, ipnat will not enable without ipf.rules.
>Fix:
This patch applies cleanly to 4.3-RC, and 5.0-CURRENT
--- /usr/src/etc/rc.network Tue Mar 20 17:52:05 2001
+++ rc.network Sun Apr 1 16:15:04 2001
@@ -62,10 +62,30 @@
#
case "${ipfilter_enable}" in
[Yy][Ee][Ss])
- if [ -r "${ipfilter_rules}" ]; then
- echo -n ' ipfilter';
- ${ipfilter_program:-/sbin/ipf -Fa -f} \
- "${ipfilter_rules}" ${ipfilter_flags}
+ # Some hackery to get just the bare program name.
+ ipfilter_binary=`echo ${ipfilter_program} | cut -d" " -f1`
+
+ if ${ipfilter_binary} -Z > /dev/null 2>&1; then
+ ipf_loaded=1
+ else
+ if kldload ipl > /dev/null; then
+ ipf_loaded=1
+ echo 'IPFilter module loaded'
+ else
+ echo 'Warning: IPFilter kernel module failed to load'
+ fi
+ fi
+
+ if [ ${ipf_loaded} ]; then
+ if [ -r "${ipfilter_rules}" ]; then
+ echo -n ' ipfilter';
+ ${ipfilter_program:-/sbin/ipf -Fa -f} \
+ "${ipfilter_rules}" ${ipfilter_flags}
+ else
+ ipfilter_enable="NO"
+ echo -n ' NO IPF RULES'
+ fi
+
case "${ipmon_enable}" in
[Yy][Ee][Ss])
echo -n ' ipmon'
@@ -83,9 +103,6 @@
fi
;;
esac
- else
- ipfilter_enable="NO"
- echo -n ' NO IPF RULES'
fi
;;
esac
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010401211212.208831936E>