Created attachment 168033 [details] Add ipfw to REQUIRE in /etc/rc.d/netwait FreeBSD rwsrv04.gfn.riverwillow.net.au 10.3-RC2 FreeBSD 10.3-RC2 #0 r296673: Sat Mar 12 11:12:32 AEDT 2016 root@rwsrv04.gfn.riverwillow.net.au:/build/obj/build/src/sys/RWSRV04 i386 In Kernel config file: options IPFIREWALL #firewall In rc.conf: netwait_enable=YES All was well in 10.2-RELEASE, but now... /etc/rc.d/netwait no longer succeeds in pinging ${netwait_ip} because the firewall has not yet been started and the default "deny all" condition prevails. netwait times out, startup proceeds and bits of networking components don't get started because the interfaces haven't finished being configured yet (now that packets can get through). The attached patch makes netwait dependent on ipfw. I doubt that this is the proper solution but "it works for me". netwait used to be dependent on NETWORKING and everything worked fine. The commit message for r294680 explains why NETWORKING was removed from the netwait REQUIRE list but there are more things that need to be taken into account. Replacing NETWORKING with only devd and routing in the REQUIRE list is obviously insufficient. I'm thinking the dependency probably belongs in a different script - but where? The effect of adding ipfw to the netwait REQUIRE list changes rcorder like this: --- rcorder.10.3 2016-03-12 14:08:16.432798000 +1100 +++ rcorder.10.3.jm 2016-03-12 14:08:36.667104000 +1100 @@ -44,6 +44,7 @@ /etc/rc.d/ppp /etc/rc.d/faith /etc/rc.d/routing +/etc/rc.d/ipfw /etc/rc.d/netwait /etc/rc.d/resolv /etc/rc.d/local_unbound @@ -57,7 +58,6 @@ /etc/rc.d/mrouted /etc/rc.d/routed /etc/rc.d/defaultroute -/etc/rc.d/ipfw /etc/rc.d/NETWORKING /etc/rc.d/mountcritremote /etc/rc.d/newsyslog
A commit references this bug: Author: ian Date: Sun Mar 13 19:42:59 UTC 2016 New revision: 296807 URL: https://svnweb.freebsd.org/changeset/base/296807 Log: Require firewall setup before running rc.d/netwait, otherwise the ping packets sent by netwait may not get through. PR: 207916 Submitted by: John.Marshall@riverwillow.com.au (ipfw), ian@ (pf, ipfilter) Changes: head/etc/rc.d/netwait
I think a better fix would be to split this into two scripts, one that waits for network interfaces to appear and another that waits for IP connectivity. The interface wait would happen before NETWORKING and the IP wait afterwards like it used to. When I started to pursue that I ran into an existing circular dependency between devd and mountcritremote which becomes much worse when inserting the new interface-wait before NETWORKING (one dependency conflict turns into a couple dozen). That's going to be hard to resolve, so I've committed the provided fix (and added the pf and ipfilter firewalls as well) for now.
If ipwf is hardcoded dependency of netwait now, what if I am using PF as firewall of my choice? Will netwait fail?
(In reply to Miroslav Lachman from comment #3) No, the "requirements" don't really mean the named script has to complete successfully, it only directs rcorder(8) to sort them so that they run in requirement order. So the change just ensures that all 3 flavors of firewall-setup script will have a chance to run before the netwait script runs.
Thank you. I was not sure because I played with rc and rcorder long time ago.
A commit references this bug: Author: ian Date: Wed Mar 16 16:21:30 UTC 2016 New revision: 296940 URL: https://svnweb.freebsd.org/changeset/base/296940 Log: MFC r296807: Require firewall setup before running rc.d/netwait, otherwise the ping packets sent by netwait may not get through. PR: 207916 Changes: _U stable/10/ stable/10/contrib/llvm/tools/clang/lib/Driver/Tools.cpp stable/10/etc/rc.d/netwait
A commit references this bug: Author: ian Date: Wed Mar 16 16:52:31 UTC 2016 New revision: 296943 URL: https://svnweb.freebsd.org/changeset/base/296943 Log: MFC r296807: (this time with 100% fewer unintended changes mixed in)... Require firewall setup before running rc.d/netwait, otherwise the ping packets sent by netwait may not get through. PR: 207916 Changes: _U stable/10/ stable/10/etc/rc.d/netwait
A commit references this bug: Author: ian Date: Wed Mar 16 17:35:55 UTC 2016 New revision: 296946 URL: https://svnweb.freebsd.org/changeset/base/296946 Log: MFC 296943: Require firewall setup before running rc.d/netwait, otherwise the ping packets sent by netwait may not get through. PR: 207916 Approved by: re (marius) Changes: _U releng/10.3/ releng/10.3/etc/rc.d/netwait