ipfilter has a number of tunable variables (run "ipf -T list" to see the list). Although many (all?) of these are made available via sysctl, it is not possible to configure them in the context of the current /etc/rc.conf or /etc/sysctl.conf arrangements due to the following constraints/interactions: 1. Some of the tunables can be set only if ipfilter is disabled. 2. The current /etc/rc.d/ipfilter startup script enables ipfilter and causes it to load the filter rules before doing anything about ipfilter_flags, which might theoretically be set to "-D -T <foo> -E". 3. You could try ipfilter_flags="-D -T <foo> -E -f ${ipfilter_rules}" to reload the rules. However, ipfilter_flags are also used for the reload and resync commands of the startup script (i.e., later on), so you run into... 4. disabling ipfilter not only flushes existing configured filter rules, it also flushes any configured NAT rules (loaded independently via /etc/rc.d/ipnat). 5. /etc/sysctl.conf is processed after /etc/rc.d/ipfilter runs, so ipfilter tunables set in sysctl.conf fail due to ipfilter being enabled. 6. Oh, and they can't be set in /boot/loader.conf either Here is a fix that allows variables to be specified in /etc/rc.conf so they will be set early in the /etc/rc.d/ipfilter script Fix: Patch attached Patch attached with submission follows:
Responsible Changed From-To: freebsd-bugs->freebsd-net Perhaps the folks on -net can evaluate this.
Responsible Changed From-To: freebsd-net->cy Mine.
For bugs matching the following criteria: Status: In Progress Changed: (is less than) 2014-06-01 Reset to default assignee and clear in-progress tags. Mail being skipped
Keyword: patch or patch-ready – in lieu of summary line prefix: [patch] * bulk change for the keyword * summary lines may be edited manually (not in bulk). Keyword descriptions and search interface: <https://bugs.freebsd.org/bugzilla/describekeywords.cgi>