ipfilter has a number of tunable variables (run "ipf -T list" to see the list). Although many (all?) of these are made available via sysctl, it is not possible to configure them in the context of the current /etc/rc.conf or /etc/sysctl.conf arrangements due to the following constraints/interactions: 1. Some of the tunables can be set only if ipfilter is disabled. 2. The current /etc/rc.d/ipfilter startup script enables ipfilter and causes it to load the filter rules before doing anything about ipfilter_flags, which might theoretically be set to "-D -T <foo> -E". 3. You could try ipfilter_flags="-D -T <foo> -E -f ${ipfilter_rules}" to reload the rules. However, ipfilter_flags are also used for the reload and resync commands of the startup script (i.e., later on), so you run into... 4. disabling ipfilter not only flushes existing configured filter rules, it also flushes any configured NAT rules (loaded independently via /etc/rc.d/ipnat). 5. /etc/sysctl.conf is processed after /etc/rc.d/ipfilter runs, so ipfilter tunables set in sysctl.conf fail due to ipfilter being enabled. 6. Oh, and they can't be set in /boot/loader.conf either Here is a fix that allows variables to be specified in /etc/rc.conf so they will be set early in the /etc/rc.d/ipfilter script Fix: Patch attached Patch attached with submission follows:
Responsible Changed From-To: freebsd-bugs->freebsd-net Perhaps the folks on -net can evaluate this.
Responsible Changed From-To: freebsd-net->cy Mine.
For bugs matching the following criteria: Status: In Progress Changed: (is less than) 2014-06-01 Reset to default assignee and clear in-progress tags. Mail being skipped
Keyword: patch or patch-ready – in lieu of summary line prefix: [patch] * bulk change for the keyword * summary lines may be edited manually (not in bulk). Keyword descriptions and search interface: <https://bugs.freebsd.org/bugzilla/describekeywords.cgi>
See https://reviews.freebsd.org/D47346.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=8d6feaaaa26f444abb209360e52b993e39cb81bb commit 8d6feaaaa26f444abb209360e52b993e39cb81bb Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2024-10-30 19:28:31 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2024-11-01 18:08:14 +0000 ipfilter: Set ipf -T optionlist at boot There is no easy way to set ipfilter optionlist variables during boot. Add plumbing to the rc script to support this. PR: 130555 Reviewed by: jlduran MFC 1 week Differential Revision: https://reviews.freebsd.org/D47346 libexec/rc/rc.conf | 1 + libexec/rc/rc.d/ipfilter | 8 +++++++- 2 files changed, 8 insertions(+), 1 deletion(-)
A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3b032c06989df3cd7bf075aeb54249bbeb8df2b4 commit 3b032c06989df3cd7bf075aeb54249bbeb8df2b4 Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2024-10-30 19:28:31 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2024-11-19 00:26:04 +0000 ipfilter: Set ipf -T optionlist at boot There is no easy way to set ipfilter optionlist variables during boot. Add plumbing to the rc script to support this. PR: 130555 Reviewed by: jlduran Differential Revision: https://reviews.freebsd.org/D47346 (cherry picked from commit 8d6feaaaa26f444abb209360e52b993e39cb81bb) libexec/rc/rc.conf | 1 + libexec/rc/rc.d/ipfilter | 8 +++++++- 2 files changed, 8 insertions(+), 1 deletion(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=6739198793e469f9f9c414ddad49b7c0e08eb03e commit 6739198793e469f9f9c414ddad49b7c0e08eb03e Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2024-10-30 19:28:31 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2024-11-19 00:27:06 +0000 ipfilter: Set ipf -T optionlist at boot There is no easy way to set ipfilter optionlist variables during boot. Add plumbing to the rc script to support this. PR: 130555 Reviewed by: jlduran Differential Revision: https://reviews.freebsd.org/D47346 (cherry picked from commit 8d6feaaaa26f444abb209360e52b993e39cb81bb) libexec/rc/rc.conf | 1 + libexec/rc/rc.d/ipfilter | 8 +++++++- 2 files changed, 8 insertions(+), 1 deletion(-)
Fixed.