Date: 16 Jun 2003 23:02:16 -0400 From: Mike Bohan <bogin@shortcircut.org> To: Mike Makonnen <mtm@identd.net> Cc: freebsd-current@freebsd.org Subject: Re: -E flag in /etc/rc.d/ipfilter causes warnings Message-ID: <1055818936.18453.36.camel@diesel> In-Reply-To: <20030617023914.LUPT16647.out006.verizon.net@kokeb.ambesa.net> References: <1055813744.18453.21.camel@diesel> <20030617023914.LUPT16647.out006.verizon.net@kokeb.ambesa.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-0kl65fjH7J6Zvtjdyobk
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
That's actually how I interpreted the man page too (the way you did),
but rc.conf says the inverse, and my testing corresponds to this as
well...
ipfilter_flags=3D"" # should be *empty* when ipf is _not_ a
module
# (i.e. compiled into the kernel) to
# avoid a warning about "already
initialized"
I agree there's no easy solution with the rc.d start/stop
functionality. I'll let the list know if I come up with an alternate
method. =20
--=20
Mike Bohan <bogin@shortcircut.org>
On Mon, 2003-06-16 at 22:39, Mike Makonnen wrote:
> On 16 Jun 2003 21:35:44 -0400
> Mike Bohan <bogin@shortcircut.org> wrote:
>=20
> > Hello there,
> >=20
> > I recently ran into a slight issue with ipfilter running on
> > 5.1-RELEASE. My machine serves the simple purpose as a nat gateway, so
> > ipfilter is always going to be necessary on it. Due to this fact, i
> > decided to include options IPFILTER in the kernel config, instead of
> > dynamically loading the ipl.ko module. However, when ipfilter is used
> > in the kernel image, it's automatically initialized (and thus does not
> > need the -E flag). =20
>=20
> hmm... I thought it was the other way around (it's not effective when loa=
ded as
> a module), but I may have misunderstood the man page.
>=20
> >This has been noted in rc.conf for some time, and I
> > of course removed the -E from the =20
> > ipfilter_flags variable in that file. However, after booting my kernel
> > with the IPFILTER options, I noticed warnings in my kernel logs that
> > "ipfilter has already been initialized", which is consistent with using
> > flag -E when ipf is already initialized. After some brief analysis, I
> > discovered that /etc/rc.d/ipfilter actually uses -E in the shell script
> > function, ipfilter_start(). After removing the two instances of the -E
> > and rebooting, the warning messages disappeared at boot time. Is this =
a
> > known glitch in the hopes that people start soley using the ipl kernel
> > module? It's really not a big deal either way, but I was more just
> > curious than anything in which direction it's going. Thanks in advance=
!
> >=20
>=20
> I believe it's harmless, and while not aesthetically pleasing, it's a nec=
essary
> work-around. The stop command to rc.d/ipfilter uses -D to disable ipfilte=
r, so
> it's necessary to use -E with the start command because there's no way to=
know
> how/when/why/in-what-environment it's being called. If I'm wrong or you h=
ave a
> better alternative to this please let me know.
>=20
> Cheers.
--=-0kl65fjH7J6Zvtjdyobk
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQA+7oS3ejdihSuinPURAoyWAKCKxrOmAoYeh1slBjwis3LlB/vvAwCfdExM
HTa4ZilZH7CswUjDZ9ULwqY=
=skUn
-----END PGP SIGNATURE-----
--=-0kl65fjH7J6Zvtjdyobk--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1055818936.18453.36.camel>