From owner-freebsd-current@FreeBSD.ORG Mon Jun 16 20:03:50 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D248E37B401 for ; Mon, 16 Jun 2003 20:03:50 -0700 (PDT) Received: from caboose.shortcircut.org (cpe-66-189-87-244.ma.charter.com [66.189.87.244]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4F96D43F3F for ; Mon, 16 Jun 2003 20:03:49 -0700 (PDT) (envelope-from bogin@shortcircut.org) Received: from diesel.shortcircut.org (diesel [10.0.0.5]) h5H34TOE001266; Mon, 16 Jun 2003 23:04:29 -0400 (EDT) (envelope-from bogin@shortcircut.org) From: Mike Bohan To: Mike Makonnen In-Reply-To: <20030617023914.LUPT16647.out006.verizon.net@kokeb.ambesa.net> References: <1055813744.18453.21.camel@diesel> <20030617023914.LUPT16647.out006.verizon.net@kokeb.ambesa.net> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-0kl65fjH7J6Zvtjdyobk" Message-Id: <1055818936.18453.36.camel@diesel> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.0 Date: 16 Jun 2003 23:02:16 -0400 cc: freebsd-current@freebsd.org Subject: Re: -E flag in /etc/rc.d/ipfilter causes warnings X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jun 2003 03:03:51 -0000 --=-0kl65fjH7J6Zvtjdyobk Content-Type: text/plain Content-Transfer-Encoding: quoted-printable That's actually how I interpreted the man page too (the way you did), but rc.conf says the inverse, and my testing corresponds to this as well... ipfilter_flags=3D"" # should be *empty* when ipf is _not_ a module # (i.e. compiled into the kernel) to # avoid a warning about "already initialized" I agree there's no easy solution with the rc.d start/stop functionality. I'll let the list know if I come up with an alternate method. =20 --=20 Mike Bohan On Mon, 2003-06-16 at 22:39, Mike Makonnen wrote: > On 16 Jun 2003 21:35:44 -0400 > Mike Bohan wrote: >=20 > > Hello there, > >=20 > > I recently ran into a slight issue with ipfilter running on > > 5.1-RELEASE. My machine serves the simple purpose as a nat gateway, so > > ipfilter is always going to be necessary on it. Due to this fact, i > > decided to include options IPFILTER in the kernel config, instead of > > dynamically loading the ipl.ko module. However, when ipfilter is used > > in the kernel image, it's automatically initialized (and thus does not > > need the -E flag). =20 >=20 > hmm... I thought it was the other way around (it's not effective when loa= ded as > a module), but I may have misunderstood the man page. >=20 > >This has been noted in rc.conf for some time, and I > > of course removed the -E from the =20 > > ipfilter_flags variable in that file. However, after booting my kernel > > with the IPFILTER options, I noticed warnings in my kernel logs that > > "ipfilter has already been initialized", which is consistent with using > > flag -E when ipf is already initialized. After some brief analysis, I > > discovered that /etc/rc.d/ipfilter actually uses -E in the shell script > > function, ipfilter_start(). After removing the two instances of the -E > > and rebooting, the warning messages disappeared at boot time. Is this = a > > known glitch in the hopes that people start soley using the ipl kernel > > module? It's really not a big deal either way, but I was more just > > curious than anything in which direction it's going. Thanks in advance= ! > >=20 >=20 > I believe it's harmless, and while not aesthetically pleasing, it's a nec= essary > work-around. The stop command to rc.d/ipfilter uses -D to disable ipfilte= r, so > it's necessary to use -E with the start command because there's no way to= know > how/when/why/in-what-environment it's being called. If I'm wrong or you h= ave a > better alternative to this please let me know. >=20 > Cheers. --=-0kl65fjH7J6Zvtjdyobk Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQA+7oS3ejdihSuinPURAoyWAKCKxrOmAoYeh1slBjwis3LlB/vvAwCfdExM HTa4ZilZH7CswUjDZ9ULwqY= =skUn -----END PGP SIGNATURE----- --=-0kl65fjH7J6Zvtjdyobk--