From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 19 00:30:12 2007 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A180B16A41F for ; Tue, 19 Jun 2007 00:30:12 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 4E76213C455 for ; Tue, 19 Jun 2007 00:30:12 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l5J0UCfK082453 for ; Tue, 19 Jun 2007 00:30:12 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l5J0UCOs082451; Tue, 19 Jun 2007 00:30:12 GMT (envelope-from gnats) Date: Tue, 19 Jun 2007 00:30:12 GMT Message-Id: <200706190030.l5J0UCOs082451@freefall.freebsd.org> To: freebsd-ipfw@FreeBSD.org From: Sean McNeil Cc: Subject: Re: conf/78762: [ipfw] [patch] /etc/rc.d/ipfw should excecute $firewall_script not read it X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Sean McNeil List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jun 2007 00:30:12 -0000 The following reply was made to PR conf/78762; it has been noted by GNATS. From: Sean McNeil To: bug-followup@FreeBSD.org, jonw@whoweb.com Cc: Subject: Re: conf/78762: [ipfw] [patch] /etc/rc.d/ipfw should excecute $firewall_script not read it Date: Mon, 18 Jun 2007 17:05:45 -0700 This is a bad idea and has broken the new feature of rcNG allowing us to place options into /etc/rc.conf.d/ipfw and /etc/rc.conf.d/ip6fw. The commit to src/etc/rc.d/ipfw revision 1.15 and src/etc/rc.d/ip6fw 1.9 have now broken this basic concept. IMHO, the correct thing is: Don't use exit in your firewall script. I offer 3 solutions, however, below. What has been broken: /etc/rc.conf.d/ipfw firewall_enable="YES" firewall_type="/etc/fw/rc.firewall.rules" /etc/rc.conf.d/ip6fw ipv6_firewall_enable="YES" ipv6_firewall_type="/etc/fw/rc.firewall6.rules" Now, this no longer works and I must once again pollute and move more stuff back into /etc/rc.conf. Namely, firewall_type="/etc/fw/rc.firewall.rules" ipv6_firewall_type="/etc/fw/rc.firewall6.rules" must now be in /etc/rc.conf or /etc/rc.conf.local. Solution: 1) revert to sourcing the rc.firewall script. 2) Fix rc.firewall and rc.firewall6 to somehow get stuff from /etc/rc.conf.d as it should (as ipfw and ip6fw?). 3) completely remove rc.conf.d support as more things fail to work with it.