From owner-freebsd-ipfw Sat Mar 4 9:54:14 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id A6ACD37B826 for ; Sat, 4 Mar 2000 09:54:11 -0800 (PST) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id MAA48897; Sat, 4 Mar 2000 12:59:38 -0500 (EST) (envelope-from cjc) Date: Sat, 4 Mar 2000 12:59:38 -0500 From: "Crist J. Clark" To: dan raz Cc: freebsd-ipfw@FreeBSD.ORG, shavitt@lucent.com Subject: Re: A problem with verifing ipfw loaded in rc_network Message-ID: <20000304125938.A48777@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com References: <38BFC3FD.3B01BA34@lucent.com> <38BFC80D.73CFB75B@lucent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <38BFC80D.73CFB75B@lucent.com>; from raz@lucent.com on Fri, Mar 03, 2000 at 09:11:25AM -0500 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, Mar 03, 2000 at 09:11:25AM -0500, dan raz wrote: > We have a booting problem that is coming from the rc.network code. > In our boot process, the ipfw is loaded with the appropriate flags > (i.e. divert enable) but then rc.network fails to recognize it and > it reloads ipfw to the kernel with a no-divert flag. The result is that > the divert sockets do not work. > > Here is the relevant lines from the /var/log/message file: > ......... > Feb 29 11:06:38 heshvan /kernel: npx0: INT 16 interface > Feb 29 11:06:38 heshvan /kernel: Intel Pentium detected, installing > workaround for F00F bug > Feb 29 11:06:38 heshvan /kernel: IP packet filtering initialized, divert > enabled, rule-based forwarding enabled, > unlimited logging > Feb 29 11:06:38 heshvan /kernel: IP Filter: initialized. Default = pass all, > Logging = disabled > Feb 29 11:06:38 heshvan /kernel: changing root device to wd0s2a > Feb 29 11:06:38 heshvan /kernel: IP packet filtering initialized, divert > disabled, rule-based forwarding disabled, > logging disabled > Feb 29 11:06:48 heshvan mrouted[124]: mrouted version 3.9-beta3+IOS12 > ................. > Note, that first divert is enabled, and then after mounting / > IP packet filtering is reinitialize, but now divert is disabled. > It took us a while to track the problem to rc.network > and related questions were posted in freebsd-questions, and freebsd-ipfw. > > This is the relevant code from rc.network: > > > # Initialize IP filtering using ipfw > > echo "" > > /sbin/ipfw -q flush > /dev/null 2>&1 > > if [ $? = 0 ] ; then > > firewall_in_kernel=1 > > else > > firewall_in_kernel=0 > > fi > > > > if [ $firewall_in_kernel = 0 -a "x$firewall_enable" = "xYES" ] ; then > > if kldload ipfw; then > > firewall_in_kernel=1 # module loaded successfully > > echo "Kernel firewall module loaded." > > else > > echo "Warning: firewall kernel module failed to load." > > fi > > fi > > > > It should verify that the ipfw is in kernel, and if not reload it. > In our case the test (sbin/ipfw -q flush > /dev/null 2>&1 if [ $? = 0 ] ) > does not work. We could not figure out why > the simple test does not work, but we deleted these lines from rc.network > and all seems to be working fine. > > Any ideas or suggestions? Can you edit the above line to just be, /sbin/ipfw flush if [ $? = 0 ] ; then And then reboot to see what messages come out? Or have you tried that? One small thing that comes up a lot in the rc* scripts, shouldn't it really be, [ $? -eq 0 ] Rather than, [ $? = 0 ] Well, I guess they do work the way they are, and the first is a bit prettier. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message