Date: Sun, 6 Apr 2014 16:37:06 GMT From: Frank Volf <frank@deze.org> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/188318: service ipfilter reload does not work Message-ID: <201404061637.s36Gb6nj078527@cgiserv.freebsd.org> Resent-Message-ID: <201404061640.s36Ge0S0051109@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 188318
>Category: misc
>Synopsis: service ipfilter reload does not work
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Apr 06 16:40:00 UTC 2014
>Closed-Date:
>Last-Modified:
>Originator: Frank Volf
>Release: FreeBSD 10-STABLE
>Organization:
>Environment:
FreeBSD drawbridge.internal.deze.org 10.0-STABLE FreeBSD 10.0-STABLE #0 r262433: Mon Feb 24 16:25:35 CET 2014 root@drawbridge-new.internal.deze.org:/usr/obj/usr/sources/src10-stable/sys/SHUTTLE i386
>Description:
If you modify your ipfilter rule set and issue an 'service ipfilter reload' an empty ipv4 rule set will be loaded.
You can see this with the 'ipfstat -ionh' command.
>How-To-Repeat:
Issue 'service ipfilter reload'
>Fix:
The issue is caused by an error in the /etc/rc.d/ipfilter script.
In this script the command '${ipfilter_program:-/sbin/ipf} -I -6 -Fa' is used to flush the inactive rule set.
However this command does not work as expected. If flushes both the IPv4 and the IPv6 inactive ruleset.
So, the new ipfilter rule set loaded just above this command, is immediately removed.
The fix is simple: comment out this line and it works fine (above this line there is alerady a ' ${ipfilter_program:-/sbin/ipf} -I -Fa' that flushes both the inactive IPv4 and the IPv6 rule base.
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201404061637.s36Gb6nj078527>