207916 – [PATCH] etc/rc.d/netwait breaks on releng/10.3 if ipfw configured

Bug 207916 - [PATCH] etc/rc.d/netwait breaks on releng/10.3 if ipfw configured

Summary: [PATCH] etc/rc.d/netwait breaks on releng/10.3 if ipfw configured

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	bin (show other bugs)
Version:	10.3-BETA2
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	Ian Lepore

URL:
Keywords:	patch

Depends on:
Blocks:

Reported:	2016-03-12 03:47 UTC by John Marshall
Modified:	2016-03-16 17:39 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Add ipfw to REQUIRE in /etc/rc.d/netwait (347 bytes, patch) 2016-03-12 03:47 UTC, John Marshall	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Marshall 2016-03-12 03:47:47 UTC

Created attachment 168033 [details]
Add ipfw to REQUIRE in /etc/rc.d/netwait

FreeBSD rwsrv04.gfn.riverwillow.net.au 10.3-RC2 FreeBSD 10.3-RC2 #0 r296673: Sat Mar 12 11:12:32 AEDT 2016     root@rwsrv04.gfn.riverwillow.net.au:/build/obj/build/src/sys/RWSRV04  i386

In Kernel config file:
options 	IPFIREWALL		#firewall

In rc.conf:
netwait_enable=YES

All was well in 10.2-RELEASE, but now...

/etc/rc.d/netwait no longer succeeds in pinging ${netwait_ip} because the firewall has not yet been started and the default "deny all" condition prevails. netwait times out, startup proceeds and bits of networking components don't get started because the interfaces haven't finished being configured yet (now that packets can get through).

The attached patch makes netwait dependent on ipfw. I doubt that this is the proper solution but "it works for me". netwait used to be dependent on NETWORKING and everything worked fine. The commit message for r294680 explains why NETWORKING was removed from the netwait REQUIRE list but there are more things that need to be taken into account. Replacing NETWORKING with only devd and routing in the REQUIRE list is obviously insufficient. I'm thinking the dependency probably belongs in a different script - but where?

The effect of adding ipfw to the netwait REQUIRE list changes rcorder like this:

--- rcorder.10.3	2016-03-12 14:08:16.432798000 +1100
+++ rcorder.10.3.jm	2016-03-12 14:08:36.667104000 +1100
@@ -44,6 +44,7 @@
 /etc/rc.d/ppp
 /etc/rc.d/faith
 /etc/rc.d/routing
+/etc/rc.d/ipfw
 /etc/rc.d/netwait
 /etc/rc.d/resolv
 /etc/rc.d/local_unbound
@@ -57,7 +58,6 @@
 /etc/rc.d/mrouted
 /etc/rc.d/routed
 /etc/rc.d/defaultroute
-/etc/rc.d/ipfw
 /etc/rc.d/NETWORKING
 /etc/rc.d/mountcritremote
 /etc/rc.d/newsyslog

Comment 1 commit-hook freebsd_committer

2016-03-13 19:43:44 UTC

A commit references this bug:

Author: ian
Date: Sun Mar 13 19:42:59 UTC 2016
New revision: 296807
URL: https://svnweb.freebsd.org/changeset/base/296807

Log:
  Require firewall setup before running rc.d/netwait, otherwise the ping
  packets sent by netwait may not get through.

  PR:		207916
  Submitted by:	John.Marshall@riverwillow.com.au (ipfw), ian@ (pf, ipfilter)

Changes:
  head/etc/rc.d/netwait

Comment 2 Ian Lepore freebsd_committer

2016-03-13 19:54:34 UTC

I think a better fix would be to split this into two scripts, one that waits for network interfaces to appear and another that waits for IP connectivity.  The interface wait would happen before NETWORKING and the IP wait afterwards like it used to.

When I started to pursue that I ran into an existing circular dependency between devd and mountcritremote which becomes much worse when inserting the new interface-wait before NETWORKING (one dependency conflict turns into a couple dozen).  That's going to be hard to resolve, so I've committed the provided fix (and added the pf and ipfilter firewalls as well) for now.

Comment 3 Miroslav Lachman 2016-03-14 15:22:11 UTC

If ipwf is hardcoded dependency of netwait now, what if I am using PF as firewall of my choice?
Will netwait fail?

Comment 4 Ian Lepore freebsd_committer

2016-03-14 15:28:07 UTC

(In reply to Miroslav Lachman from comment #3)

No, the "requirements" don't really mean the named script has to complete successfully, it only directs rcorder(8) to sort them so that they run in requirement order.  So the change just ensures that all 3 flavors of firewall-setup script will have a chance to run before the netwait script runs.

Comment 5 Miroslav Lachman 2016-03-14 15:58:11 UTC

Thank you. 
I was not sure because I played with rc and rcorder long time ago.

Comment 6 commit-hook freebsd_committer

2016-03-16 16:22:19 UTC

A commit references this bug:

Author: ian
Date: Wed Mar 16 16:21:30 UTC 2016
New revision: 296940
URL: https://svnweb.freebsd.org/changeset/base/296940

Log:
  MFC r296807:

    Require firewall setup before running rc.d/netwait, otherwise the ping
    packets sent by netwait may not get through.

  PR:		207916

Changes:
_U  stable/10/
  stable/10/contrib/llvm/tools/clang/lib/Driver/Tools.cpp
  stable/10/etc/rc.d/netwait

Comment 7 commit-hook freebsd_committer

2016-03-16 16:53:26 UTC

A commit references this bug:

Author: ian
Date: Wed Mar 16 16:52:31 UTC 2016
New revision: 296943
URL: https://svnweb.freebsd.org/changeset/base/296943

Log:
  MFC r296807: (this time with 100% fewer unintended changes mixed in)...

    Require firewall setup before running rc.d/netwait, otherwise the ping
    packets sent by netwait may not get through.

  PR:		207916

Changes:
_U  stable/10/
  stable/10/etc/rc.d/netwait

Comment 8 commit-hook freebsd_committer

2016-03-16 17:36:32 UTC

A commit references this bug:

Author: ian
Date: Wed Mar 16 17:35:55 UTC 2016
New revision: 296946
URL: https://svnweb.freebsd.org/changeset/base/296946

Log:
  MFC 296943:

    Require firewall setup before running rc.d/netwait, otherwise the ping
    packets sent by netwait may not get through.

  PR:           207916
  Approved by:	re (marius)

Changes:
_U  releng/10.3/
  releng/10.3/etc/rc.d/netwait