Date: Thu, 19 Aug 2004 18:18:35 +0100 From: Ceri Davies <ceri@submonkey.net> To: Andre Oppermann <andre@freebsd.org> Cc: Nate Lawson <nate@root.org> Subject: Re: cvs commit: src/sys/conf files options src/sys/modules/ipfw Makefilesrc/sys/net bridge.c src/sys/netgraph ng_bridge.c src/sys/netinet ip_divert.cip_dummynet.c ip_dummynet.h ip_fastfwd.c ip_fw.h ip_fw2.c ip_fw_pfil.c ip_input.cip_output.c ... Message-ID: <20040819171835.GZ5433@submonkey.net> In-Reply-To: <41247C7A.B21E7660@freebsd.org> References: <200408172205.i7HM5sDs087606@repoman.freebsd.org> <20040819030854.GM99521@freebsd3.cimlogic.com.au> <41242606.6070604@root.org> <41247C7A.B21E7660@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--ZNotpC0yWfjHZxBL Content-Type: multipart/mixed; boundary="hOmQO3H5Qmmwdmk8" Content-Disposition: inline --hOmQO3H5Qmmwdmk8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 19, 2004 at 12:10:03PM +0200, Andre Oppermann wrote: > Nate Lawson wrote: > >=20 > > John Birrell wrote: > > > On Tue, Aug 17, 2004 at 10:05:54PM +0000, Andre Oppermann wrote: > > > > > >>andre 2004-08-17 22:05:54 UTC > > >> > > >> FreeBSD src repository > > >> > > >> Modified files: > > >> sys/conf files options > > >> sys/modules/ipfw Makefile > > >> sys/net bridge.c > > >> sys/netgraph ng_bridge.c > > >> sys/netinet ip_divert.c ip_dummynet.c ip_dummynet.h > > >> ip_fastfwd.c ip_fw.h ip_fw2.c ip_input.c > > >> ip_output.c ip_var.h raw_ip.c tcp_input.c > > >> tcp_sack.c > > >> sys/sys mbuf.h > > >> Added files: > > >> sys/netinet ip_fw_pfil.c > > > > > > > > > A kernel config file which includes IPFIREWALL, but not PFIL_HOOKS wi= ll > > > not link (for obvious reasons). > > > > > > Also, the script /etc/rc.d/ipfw tests the 'enable' sysctl which is re= moved > > > by this commit. The result is that if a kernel is booted with ipfw bu= ilt > > > in, the /etc/rc.d/ipfw script tries to load the ipfw module. The modu= le > > > load fails (for obvious reasons), causing the ipfw initialisation to = fail > > > leaving the firewall in the deny-everything mode regardless of what is > > > configured in /etc/rc.conf. > > > > > > This is an issue for 5.3. [ I assume re@ are reading this list ] > >=20 > > I've been bitten by both. Actually, ipfw.ko won't load into a kernel > > built without PFIL_HOOKS. The duplicate load attempt also happens to m= e. >=20 > I'm looking into this and will have a fix later today. Hi Andre, I'd like to echo Nate's thanks for you spending effort to fix the problems here. Also, I think that the ipfirewall.4 manpage could use the following diff attached if PFIL_HOOKS is now mandatory. Cheers, Ceri --=20 It is not tinfoil, it is my new skin. I am a robot. --hOmQO3H5Qmmwdmk8 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="ipfw.man.diff" Index: src/share/man/man4/ipfirewall.4 =================================================================== RCS file: /home/ncvs/src/share/man/man4/ipfirewall.4,v retrieving revision 1.29 diff -u -r1.29 ipfirewall.4 --- src/share/man/man4/ipfirewall.4 29 Nov 2002 11:39:19 -0000 1.29 +++ src/share/man/man4/ipfirewall.4 19 Aug 2004 17:16:21 -0000 @@ -46,6 +46,8 @@ enable .Xr divert 4 sockets +.It Dv PFIL_HOOKS +add packet filter hooks .El .Sh SEE ALSO .Xr setsockopt 2 , @@ -53,4 +55,5 @@ .Xr ip 4 , .Xr ipfw 8 , .Xr sysctl 8 , -.Xr syslogd 8 +.Xr syslogd 8, +.Xr pfil 9 --hOmQO3H5Qmmwdmk8-- --ZNotpC0yWfjHZxBL Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (FreeBSD) iD8DBQFBJODrocfcwTS3JF8RAnNnAJ4qIyI+4SWReGbsEonzQ4+oQT7e9QCdGuM4 7qD1PN4nJw9fdpzzGW9aeaU= =yqMc -----END PGP SIGNATURE----- --ZNotpC0yWfjHZxBL--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040819171835.GZ5433>