Date: Sat, 20 Oct 2001 22:23:03 +0200 From: devet@devet.org (Arjan de Vet) To: darrenr@freebsd.org Cc: cvs-all@freebsd.org Subject: Re: cvs commit: src/etc rc.network rc.shutdown src/etc/defaults rc.conf src/etc/mtree BSD.var.dist Message-ID: <20011020222303.A35085@adv.devet.org> In-Reply-To: <20011020183537.A33620@adv.devet.org> References: <200110200433.f9K4XCc52779@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
>Hmm... with these default settings from defaults/rc.conf:
>
> ipfilter_program="/sbin/ipf -Fa -f"
> ipfs_flags=""
> ipfs_program="/sbin/ipfs"
>
>these kind of expressions in /etc/rc.network:
>
> ${ipfilter_program:-/sbin/ipf -y}
> ${ipfs_program:-/sbin/ipfs -R} ${ipfs_flags}
>
>will evaluate to:
>
> /sbin/ipf -Fa -f
> /sbin/ipfs
>
>and that's not what is intended in these cases I think.
>
>Furthermore I see these kind of expressions for ipfilter-related stuff
>preceded by 'eval' a lot. That seems unnecessary to me.
>
>Let me see if I can cleanup and test this stuff this weekend, the
>ipfilter_program and ipnat_program variables for example are the only
>*_program variables in defaults/rc.conf to have options included :-(.
Here's a patch which should solve the problems mentioned. I'm not
running current at the moment so I have not been able to test this. I
want to port it to -stable tomorrow and test it there tomorrow.
The patch also starts ipmon before loading the filter rules (and not
after loading filter rules as was previously the case). Furthermore
loading of the state table is done after loading filter/nat rules (and
not only after loading filter rules as was previously the case).
Index: rc.network
===================================================================
RCS file: /home/freebsd/CVS/src/etc/rc.network,v
retrieving revision 1.109
diff -u -r1.109 rc.network
--- rc.network 2001/10/20 04:46:32 1.109
+++ rc.network 2001/10/20 20:18:31
@@ -75,25 +75,16 @@
echo "Warning: ipfilter kernel module failed to load."
fi
+ case "${ipmon_enable}" in
+ [Yy][Ee][Ss])
+ echo -n ' ipmon'
+ ${ipmon_program:-/sbin/ipmon} ${ipmon_flags}
+ ;;
+ esac
if [ -r "${ipfilter_rules}" ]; then
echo -n ' ipfilter';
- ${ipfilter_program:-/sbin/ipf -Fa -f} \
+ ${ipfilter_program:-/sbin/ipf} -Fa -f \
"${ipfilter_rules}" ${ipfilter_flags}
- case "${ipmon_enable}" in
- [Yy][Ee][Ss])
- echo -n ' ipmon'
- ${ipmon_program:-/sbin/ipmon} ${ipmon_flags}
- ;;
- esac
- case "${ipfs_enable}" in
- [Yy][Ee][Ss])
- if [ -r "/var/db/ipf/ipstate.ipf" ]; then
- echo -n ' ipfs';
- eval ${ipfs_program:-/sbin/ipfs -R} \
- ${ipfs_flags}
- fi
- ;;
- esac
else
ipfilter_enable="NO"
echo -n ' NO IPF RULES'
@@ -109,13 +100,22 @@
fi
if [ -r "${ipnat_rules}" ]; then
echo -n ' ipnat';
- eval ${ipnat_program:-/sbin/ipnat -CF -f} \
- "${ipnat_rules}" ${ipnat_flags}
+ ${ipnat_program:-/sbin/ipnat} -CF -f \
+ "${ipnat_rules}" ${ipnat_flags}
else
echo -n ' NO IPNAT RULES'
fi
;;
esac
+ case "${ipfs_enable}" in
+ [Yy][Ee][Ss])
+ if [ -r "/var/db/ipf/ipstate.ipf" ]; then
+ echo -n ' ipfs';
+ ${ipfs_program:-/sbin/ipfs} -R \
+ ${ipfs_flags}
+ fi
+ ;;
+ esac
# Set the domainname if we're using NIS
#
@@ -279,12 +279,12 @@
#
case ${ipfilter_enable} in
[Yy][Ee][Ss])
- ${ipfilter_program:-/sbin/ipf -y}
+ ${ipfilter_program:-/sbin/ipf} -y
;;
*)
case ${ipnat_enable} in
[Yy][Ee][Ss])
- ${ipfilter_program:-/sbin/ipf -y}
+ ${ipfilter_program:-/sbin/ipf} -y
;;
esac
esac
Index: rc.shutdown
===================================================================
RCS file: /home/freebsd/CVS/src/etc/rc.shutdown,v
retrieving revision 1.18
diff -u -r1.18 rc.shutdown
--- rc.shutdown 2001/10/20 04:32:57 1.18
+++ rc.shutdown 2001/10/20 17:09:04
@@ -129,7 +129,7 @@
case ${ipfs_enable} in
[Yy][Ee][Ss])
echo -n 'Saving IP Filter state tables:'
- eval ${ipfs_program:-/sbin/ipfs -W} ${ipfs_flags}
+ ${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags}
;;
esac
Index: defaults/rc.conf
===================================================================
RCS file: /home/freebsd/CVS/src/etc/defaults/rc.conf,v
retrieving revision 1.130
diff -u -r1.130 rc.conf
--- defaults/rc.conf 2001/10/20 04:33:02 1.130
+++ defaults/rc.conf 2001/10/20 17:00:49
@@ -61,8 +61,7 @@
natd_interface="fxp0" # Public interface or IPaddress to use.
natd_flags="" # Additional flags for natd.
ipfilter_enable="NO" # Set to YES to enable ipfilter functionality
-ipfilter_program="/sbin/ipf -Fa -f"
- # program and how to specify the rules file,
+ipfilter_program="/sbin/ipf" # program and how to specify the rules file,
# see /etc/rc.network (pass1) for details
ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see
# /usr/src/contrib/ipfilter/rules for examples
@@ -70,7 +69,7 @@
# (i.e. compiled into the kernel) to
# avoid a warning about "already initialized"
ipnat_enable="NO" # Set to YES for ipnat; needs ipfilter, too!
-ipnat_program="/sbin/ipnat -CF -f" # program and how to specify rules file
+ipnat_program="/sbin/ipnat" # program and how to specify rules file
ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat
ipnat_flags="" # additional flags for ipnat
ipfs_enable="NO" # Set to YES to enable saving and restoring
Arjan
--
Arjan de Vet, Eindhoven, The Netherlands <devet@devet.org>
URL: http://www.iae.nl/users/devet/ <Arjan.deVet@adv.iae.nl>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011020222303.A35085>