Bug 31482

Summary: ipfilter /etc/rc.* bug fixes and manual page update
Product: Base System Reporter: Arjan de Vet <devet>
Component: confAssignee: Darern Reed <darrenr>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 4.4-STABLE   
Hardware: Any   
OS: Any   

Description Arjan de Vet 2001-10-24 21:00:01 UTC 
	ipfilter /etc/rc.* bug fixes including manual page update

Fix: 

At

	http://home.iae.nl/users/devet/freebsd/

you can find two patches (rc.ipf.stable and rc.ipf.current) which
cleanup the ipfilter/ipnat/ipmon/ipfs startup code in the /etc/rc.*
framework. It even includes updates to the rc.conf.5 manual pages ;-).
Note that for stable /sbin/ipfs should be MFC'ed first!

I've tested the -stable version of the patch on my own firewall (doing
NAT too), and I can now reboot my firewall without loosing the active
connections ;-).
How-To-Repeat: 
    darrenr     2001/10/19 21:33:12 PDT

      Modified files:
	etc                  rc.network rc.shutdown 
	etc/defaults         rc.conf 
      Log:
      Put in place for using ipfs use on shutdown and startup.
      
      PR:		27070
      
      Revision  Changes    Path
      1.130     +5 -1      src/etc/defaults/rc.conf
      1.107     +10 -1     src/etc/rc.network
      1.18      +12 -1     src/etc/rc.shutdown

Hmm... with these default settings from defaults/rc.conf:

    ipfilter_program="/sbin/ipf -Fa -f"
    ipfs_flags=""
    ipfs_program="/sbin/ipfs"

these kind of expressions in /etc/rc.network:

    ${ipfilter_program:-/sbin/ipf -y}
    ${ipfs_program:-/sbin/ipfs -R} ${ipfs_flags}

will evaluate to:

    /sbin/ipf -Fa -f
    /sbin/ipfs

and that's not what is intended in these cases I think.

I also see these kind of expressions for ipfilter-related stuff preceded
by 'eval' a lot. That seems unnecessary to me.

Furthermore the ipfilter_program and ipnat_program variables are the
_only_ *_program variables in defaults/rc.conf to have options already
included :-(.

The patch referenced below will fix these problems (for stable and
current).

The patch also starts ipmon _before_ loading the ipf or ipnat filter/nat
rules (and not after loading filter rules as was previously the case).

Furthermore loading of the state table via ipfs(8) is done after loading
both filter and nat rules (and not only after loading filter rules as
was previously the case).
Comment 1 Crist J. Clark freebsd_committer freebsd_triage 2001-10-25 09:10:09 UTC 
Responsible Changed
From-To: freebsd-bugs->darrenr

To the IPFilter maintainer.
Comment 2 Giorgos Keramidas freebsd_committer freebsd_triage 2002-01-09 18:02:21 UTC 
State Changed
From-To: open->closed

In revision 1.112 of src/etc/rc.network the ipfilter code was largely 
replaced by the version written by Arjan de Vet.