Bug 130555 - [ipfilter] [rc.d] [patch] No good way to set ipfilter variables at boot time
Summary: [ipfilter] [rc.d] [patch] No good way to set ipfilter variables at boot time
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: conf (show other bugs)
Version: 7.1-PRERELEASE
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-01-14 18:30 UTC by G. Paul Ziemba
Modified: 2017-12-31 22:27 UTC (History)
0 users

See Also:


Attachments
file.diff (1.26 KB, patch)
2009-01-14 18:30 UTC, G. Paul Ziemba
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description G. Paul Ziemba 2009-01-14 18:30:01 UTC
ipfilter has a number of tunable variables (run "ipf -T list" to see the list). Although many (all?) of these are made available via sysctl, it is not possible to configure them in the context of the current /etc/rc.conf or /etc/sysctl.conf arrangements due to the following constraints/interactions:

1. Some of the tunables can be set only if ipfilter is disabled.

2. The current /etc/rc.d/ipfilter startup script enables ipfilter and
   causes it to load the filter rules before doing anything about
   ipfilter_flags, which might theoretically be set to "-D -T <foo> -E".

3. You could try ipfilter_flags="-D -T <foo> -E -f ${ipfilter_rules}" to
   reload the rules. However, ipfilter_flags are also used for the reload
   and resync commands of the startup script (i.e., later on), so you
   run into...

4. disabling ipfilter not only flushes existing configured filter rules, it
   also flushes any configured NAT rules (loaded independently via
   /etc/rc.d/ipnat).

5. /etc/sysctl.conf is processed after /etc/rc.d/ipfilter runs, so ipfilter
   tunables set in sysctl.conf fail due to ipfilter being enabled.

6. Oh, and they can't be set in /boot/loader.conf either

Here is a fix that allows variables to be specified in /etc/rc.conf so they will be set early in the /etc/rc.d/ipfilter script

Fix: Patch attached

Patch attached with submission follows:
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2009-01-16 22:44:56 UTC
Responsible Changed
From-To: freebsd-bugs->freebsd-net

Perhaps the folks on -net can evaluate this.
Comment 2 Cy Schubert freebsd_committer 2013-07-03 06:20:35 UTC
Responsible Changed
From-To: freebsd-net->cy

Mine.
Comment 3 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 07:58:38 UTC
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped