Bug 207916

Summary: [PATCH] etc/rc.d/netwait breaks on releng/10.3 if ipfw configured
Product: Base System Reporter: John Marshall <john>
Component: binAssignee: Ian Lepore <ian>
Status: Closed FIXED    
Severity: Affects Some People CC: 000.fbsd, re
Priority: --- Keywords: patch
Version: 10.3-BETA2   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
Add ipfw to REQUIRE in /etc/rc.d/netwait none

Description John Marshall 2016-03-12 03:47:47 UTC 
Created attachment 168033 [details]
Add ipfw to REQUIRE in /etc/rc.d/netwait

FreeBSD rwsrv04.gfn.riverwillow.net.au 10.3-RC2 FreeBSD 10.3-RC2 #0 r296673: Sat Mar 12 11:12:32 AEDT 2016     root@rwsrv04.gfn.riverwillow.net.au:/build/obj/build/src/sys/RWSRV04  i386

In Kernel config file:
options 	IPFIREWALL		#firewall

In rc.conf:
netwait_enable=YES

All was well in 10.2-RELEASE, but now...

/etc/rc.d/netwait no longer succeeds in pinging ${netwait_ip} because the firewall has not yet been started and the default "deny all" condition prevails. netwait times out, startup proceeds and bits of networking components don't get started because the interfaces haven't finished being configured yet (now that packets can get through).

The attached patch makes netwait dependent on ipfw. I doubt that this is the proper solution but "it works for me". netwait used to be dependent on NETWORKING and everything worked fine. The commit message for r294680 explains why NETWORKING was removed from the netwait REQUIRE list but there are more things that need to be taken into account. Replacing NETWORKING with only devd and routing in the REQUIRE list is obviously insufficient. I'm thinking the dependency probably belongs in a different script - but where?

The effect of adding ipfw to the netwait REQUIRE list changes rcorder like this:

--- rcorder.10.3	2016-03-12 14:08:16.432798000 +1100
+++ rcorder.10.3.jm	2016-03-12 14:08:36.667104000 +1100
@@ -44,6 +44,7 @@
 /etc/rc.d/ppp
 /etc/rc.d/faith
 /etc/rc.d/routing
+/etc/rc.d/ipfw
 /etc/rc.d/netwait
 /etc/rc.d/resolv
 /etc/rc.d/local_unbound
@@ -57,7 +58,6 @@
 /etc/rc.d/mrouted
 /etc/rc.d/routed
 /etc/rc.d/defaultroute
-/etc/rc.d/ipfw
 /etc/rc.d/NETWORKING
 /etc/rc.d/mountcritremote
 /etc/rc.d/newsyslog
Comment 1 commit-hook freebsd_committer freebsd_triage 2016-03-13 19:43:44 UTC 
A commit references this bug:

Author: ian
Date: Sun Mar 13 19:42:59 UTC 2016
New revision: 296807
URL: https://svnweb.freebsd.org/changeset/base/296807

Log:
  Require firewall setup before running rc.d/netwait, otherwise the ping
  packets sent by netwait may not get through.

  PR:		207916
  Submitted by:	John.Marshall@riverwillow.com.au (ipfw), ian@ (pf, ipfilter)

Changes:
  head/etc/rc.d/netwait
Comment 2 Ian Lepore freebsd_committer freebsd_triage 2016-03-13 19:54:34 UTC 
I think a better fix would be to split this into two scripts, one that waits for network interfaces to appear and another that waits for IP connectivity.  The interface wait would happen before NETWORKING and the IP wait afterwards like it used to.

When I started to pursue that I ran into an existing circular dependency between devd and mountcritremote which becomes much worse when inserting the new interface-wait before NETWORKING (one dependency conflict turns into a couple dozen).  That's going to be hard to resolve, so I've committed the provided fix (and added the pf and ipfilter firewalls as well) for now.
Comment 3 Miroslav Lachman 2016-03-14 15:22:11 UTC 
If ipwf is hardcoded dependency of netwait now, what if I am using PF as firewall of my choice?
Will netwait fail?
Comment 4 Ian Lepore freebsd_committer freebsd_triage 2016-03-14 15:28:07 UTC 
(In reply to Miroslav Lachman from comment #3)

No, the "requirements" don't really mean the named script has to complete successfully, it only directs rcorder(8) to sort them so that they run in requirement order.  So the change just ensures that all 3 flavors of firewall-setup script will have a chance to run before the netwait script runs.
Comment 5 Miroslav Lachman 2016-03-14 15:58:11 UTC 
Thank you. 
I was not sure because I played with rc and rcorder long time ago.
Comment 6 commit-hook freebsd_committer freebsd_triage 2016-03-16 16:22:19 UTC 
A commit references this bug:

Author: ian
Date: Wed Mar 16 16:21:30 UTC 2016
New revision: 296940
URL: https://svnweb.freebsd.org/changeset/base/296940

Log:
  MFC r296807:

    Require firewall setup before running rc.d/netwait, otherwise the ping
    packets sent by netwait may not get through.

  PR:		207916

Changes:
_U  stable/10/
  stable/10/contrib/llvm/tools/clang/lib/Driver/Tools.cpp
  stable/10/etc/rc.d/netwait
Comment 7 commit-hook freebsd_committer freebsd_triage 2016-03-16 16:53:26 UTC 
A commit references this bug:

Author: ian
Date: Wed Mar 16 16:52:31 UTC 2016
New revision: 296943
URL: https://svnweb.freebsd.org/changeset/base/296943

Log:
  MFC r296807: (this time with 100% fewer unintended changes mixed in)...

    Require firewall setup before running rc.d/netwait, otherwise the ping
    packets sent by netwait may not get through.

  PR:		207916

Changes:
_U  stable/10/
  stable/10/etc/rc.d/netwait
Comment 8 commit-hook freebsd_committer freebsd_triage 2016-03-16 17:36:32 UTC 
A commit references this bug:

Author: ian
Date: Wed Mar 16 17:35:55 UTC 2016
New revision: 296946
URL: https://svnweb.freebsd.org/changeset/base/296946

Log:
  MFC 296943:

    Require firewall setup before running rc.d/netwait, otherwise the ping
    packets sent by netwait may not get through.

  PR:           207916
  Approved by:	re (marius)

Changes:
_U  releng/10.3/
  releng/10.3/etc/rc.d/netwait