From nobody@FreeBSD.org  Sun Apr  6 16:37:07 2014
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
	(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by hub.freebsd.org (Postfix) with ESMTPS id 6FB3D2AC
	for <freebsd-gnats-submit@FreeBSD.org>; Sun,  6 Apr 2014 16:37:07 +0000 (UTC)
Received: from cgiserv.freebsd.org (cgiserv.freebsd.org [IPv6:2001:1900:2254:206a::50:4])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 5D2A1E6F
	for <freebsd-gnats-submit@FreeBSD.org>; Sun,  6 Apr 2014 16:37:07 +0000 (UTC)
Received: from cgiserv.freebsd.org ([127.0.1.6])
	by cgiserv.freebsd.org (8.14.8/8.14.8) with ESMTP id s36Gb770078533
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 6 Apr 2014 16:37:07 GMT
	(envelope-from nobody@cgiserv.freebsd.org)
Received: (from nobody@localhost)
	by cgiserv.freebsd.org (8.14.8/8.14.8/Submit) id s36Gb6nj078527;
	Sun, 6 Apr 2014 16:37:06 GMT
	(envelope-from nobody)
Message-Id: <201404061637.s36Gb6nj078527@cgiserv.freebsd.org>
Date: Sun, 6 Apr 2014 16:37:06 GMT
From: Frank Volf <frank@deze.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: service ipfilter reload does not work
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         188318
>Category:       bin
>Synopsis:       [rc.d] [patch] service ipfilter reload does not work
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    cy
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Apr 06 16:40:00 UTC 2014
>Closed-Date:    
>Last-Modified:  Wed Apr 16 00:56:30 UTC 2014
>Originator:     Frank Volf
>Release:        FreeBSD 10-STABLE
>Organization:
>Environment:
FreeBSD drawbridge.internal.deze.org 10.0-STABLE FreeBSD 10.0-STABLE #0 r262433: Mon Feb 24 16:25:35 CET 2014     root@drawbridge-new.internal.deze.org:/usr/obj/usr/sources/src10-stable/sys/SHUTTLE  i386

>Description:

If you modify your ipfilter rule set and issue an 'service ipfilter reload' an empty ipv4 rule set will be loaded.
You can see this with the 'ipfstat -ionh' command. 
>How-To-Repeat:
Issue 'service ipfilter reload'
>Fix:
The issue is caused by an error in the /etc/rc.d/ipfilter script.

In this script the command '${ipfilter_program:-/sbin/ipf} -I -6 -Fa' is used to flush the inactive rule set.

However this command does not work as expected. If flushes both the IPv4 and the IPv6 inactive ruleset.

So, the new ipfilter rule set loaded just above this command, is immediately removed.

The fix is simple: comment out this line and it works fine (above this line there is alerady a ' ${ipfilter_program:-/sbin/ipf} -I -Fa' that flushes both the inactive IPv4 and the IPv6 rule base.





>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->cy 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Wed Apr 16 00:54:44 UTC 2014 
Responsible-Changed-Why:  
Cy, this involves ipfilter, although not the ipfilter code itself. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=188318 
>Unformatted:
