Date: Sun, 21 Sep 2014 14:58:12 +0900 (JST)
From: Hiroki Sato <hrs@FreeBSD.org>
To: ipfw@FreeBSD.org
Subject: net.inet{,6}.fw.enable in /etc/rc
Message-ID: <20140921.145812.325633000583440554.hrs@allbsd.org>
next in thread | raw e-mail | index | archive | help
----Security_Multipart0(Sun_Sep_21_14_58_12_2014_336)--
Content-Type: Multipart/Mixed;
boundary="--Next_Part(Sun_Sep_21_14_58_12_2014_119)--"
Content-Transfer-Encoding: 7bit
----Next_Part(Sun_Sep_21_14_58_12_2014_119)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Hi,
I would like your comments about the attached patch to /etc/rc.
The problem I want to fix by this patch is as follows.
net.inet{,6}.fw.enable are set to 1 by default at boot time if IPFW
kernel module is loaded or statically compiled into a kernel. And by
default IPFW has only a "deny ip from any to any" rule if it is
compiled without IPFIREWALL_DEFAULT_TO_ACCEPT option. In this case,
the default-deny rule can prevent rc.d scripts before rc.d/ipfw from
working as described in the patch.
To fix this, the patch turns IPFW off before running rc.d scripts at
boot time, and enables it again in rc.d/ipfw script.
I think most of users use GENERIC kernel + ipfw kernel module. In
that case, IPFW is not activated before rc.d/ipfw script regardless
of this patch, so there is no user-visible change. This patch
affects only a combination of a kernel with IPFW compiled and rc.d
scripts running before rc.d/ipfw. The behavior will be almost the
same as GENERIC kernel + ipfw kernel module's.
Please let me know if I am missing something.
-- Hiroki
----Next_Part(Sun_Sep_21_14_58_12_2014_119)--
Content-Type: Text/X-Patch; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="rc_ipfw.20140921-1.diff"
Index: etc/rc
===================================================================
--- etc/rc (revision 271853)
+++ etc/rc (working copy)
@@ -87,6 +87,17 @@
fi
fi
+# Clear *.fw.enable sysctls. At boot time, some of network initialization
+# before rc.d/ipfw script requires network communications (e.g. DHCP and
+# IPv6 Duplicate Address Detection). When *.fw.enable=1 and "default deny"
+# policy was applied---this can happen when IPFW is complied into the kernel
+# or ipfw kernel module is loaded by loader before rc.d/ipfw runs, those
+# comminucations are blocked. To prevent this, set *.fw.enable=0 before
+# calling rc.d scripts. The rc.d/ipfw script set this to 1 after
+# configuration.
+/sbin/sysctl -q net.inet.ip.fw.enable=0
+/sbin/sysctl -q net.inet6.ip6.fw.enable=0
+
# If the firstboot sentinel doesn't exist, we want to skip firstboot scripts.
if ! [ -e ${firstboot_sentinel} ]; then
skip_firstboot="-s firstboot"
----Next_Part(Sun_Sep_21_14_58_12_2014_119)----
----Security_Multipart0(Sun_Sep_21_14_58_12_2014_336)--
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEABECAAYFAlQeaPQACgkQTyzT2CeTzy2GSgCgvpjesyjBQRPKYB/07xS6vSXw
zHsAoKCXXLYQn2OkdgogQqn0o0fjmog3
=c4CS
-----END PGP SIGNATURE-----
----Security_Multipart0(Sun_Sep_21_14_58_12_2014_336)----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140921.145812.325633000583440554.hrs>