From spock@empire.trek.org  Mon Nov 20 16:33:52 2000
Return-Path: <spock@empire.trek.org>
Received: from mailout05.sul.t-online.com (mailout05.sul.t-online.com [194.25.134.82])
	by hub.freebsd.org (Postfix) with ESMTP id 0357937B479
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 20 Nov 2000 16:33:48 -0800 (PST)
Received: from fwd01.sul.t-online.com 
	by mailout05.sul.t-online.com with smtp 
	id 13y1Nb-00042P-00; Tue, 21 Nov 2000 01:33:47 +0100
Received: from koloth.empire.trek.org (520080156505-0001@[212.184.145.181]) by fwd01.sul.t-online.com
	with esmtp id 13y1NM-1QAvKKC; Tue, 21 Nov 2000 01:33:32 +0100
Received: from qonos.empire.trek.org (qonos.empire.trek.org [10.1.28.3])
	by koloth.empire.trek.org (Postfix) with ESMTP id 46ED817427
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 21 Nov 2000 01:33:32 +0100 (CET)
Received: by qonos.empire.trek.org (Postfix, from userid 1001)
	id 9193B1FFC; Tue, 21 Nov 2000 01:33:48 +0100 (CET)
Message-Id: <20001121003348.9193B1FFC@qonos.empire.trek.org>
Date: Tue, 21 Nov 2000 01:33:48 +0100 (CET)
From: dl@leo.org
Sender: spock@empire.trek.org
Reply-To: dl@leo.org
To: FreeBSD-gnats-submit@freebsd.org
Subject: patch for rc.network to load ipl.ko (IPFILTER)
X-Send-Pr-Version: 3.2

>Number:         22998
>Category:       conf
>Synopsis:       ipf fails to load the rules if IPFILTER is not statically linked
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    darrenr
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon Nov 20 16:40:01 PST 2000
>Closed-Date:    Thu Oct 18 14:41:20 PDT 2001
>Last-Modified:  Thu Oct 18 14:41:40 PDT 2001
>Originator:     Daniel Lang
>Release:        FreeBSD 4.2-RELEASE i386
>Organization:
TU Muenchen
>Environment:

4.2-RELEASE, with IPFILTER _not_ in static kernel, and
ipfilter_enable="YES" in rc.conf

>Description:

ipf fails to load the rules if IPFILTER is not in the kernel
and does not automatically load the module, so I patched
rc.network like the ipfw section, to load the module on
demand.

>How-To-Repeat:

see Environment

>Fix:

Here is the patch, it pretty much like ipfw section:

--- /etc/rc.network     Tue Nov 21 00:55:01 2000
+++ /tmp/rc.network.patched     Tue Nov 21 01:21:47 2000
@@ -48,8 +48,21 @@
        # Establish ipfilter ruleset as early as possible (best in
        # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file)
        #
+       if /sbin/ipfstat -i > /dev/null 2>&1; then
+               ipfilter_in_kernel=1
+       else
+               ipfilter_in_kernel=0
+       fi
+
        case "${ipfilter_enable}" in
        [Yy][Ee][Ss])
+               if [ "${ipfilter_in_kernel}" -eq 0 ] && kldload ipl; then
+                       ipfilter_in_kernel=1
+                       echo "Kernel ipfilter module loaded."
+               elif [ "${ipfilter_in_kernel}" -eq 0 ]; then
+                       echo "Warning: ipfilter kernel module failed to load."
+               fi
+
                if [ -r "${ipfilter_rules}" ]; then
                        echo -n ' ipfilter';
                        ${ipfilter_program:-ipf -Fa -f} "${ipfilter_rules}" ${ipfilter_flags}


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->darrenr 
Responsible-Changed-By: dougb 
Responsible-Changed-When: Mon Nov 20 23:04:25 PST 2000 
Responsible-Changed-Why:  

Darren is the ipfilter czar 

http://www.freebsd.org/cgi/query-pr.cgi?pr=22998 
State-Changed-From-To: open->feedback 
State-Changed-By: darrenr 
State-Changed-When: Mon Jul 30 16:09:24 PDT 2001 
State-Changed-Why:  
patch is now in -current 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=22998 

From: Daniel Lang <dl@leo.org>
To: freebsd-gnats-submit@FreeBSD.org, dl@leo.org, darrenr@freebsd.org
Cc:  
Subject: Re: conf/22998: ipf fails to load the rules if IPFILTER is not statically linked
Date: Thu, 18 Oct 2001 15:14:07 +0200

 Hi Darren,
 
 I've just noticed, that that PR is still awaiting my feedback. ;)
 It seems to work already for a while, so feel free to close the PR.
 
 Thanks,
  Daniel
 -- 
 IRCnet: Mr-Spock   - signs of absurd developments in the net community: 
 #42:   - "Wurstbrot gehoert m.E. zum Fruehstuecks-botnet von Cartoon" -  
 *Daniel Lang * dl@leo.org * +49 89 289 25735 * http://www.leo.org/~dl/*
State-Changed-From-To: feedback->closed 
State-Changed-By: darrenr 
State-Changed-When: Thu Oct 18 14:41:20 PDT 2001 
State-Changed-Why:  
originator said I could 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=22998 
>Unformatted:
