From helix@zhukov.chaotical.ly  Sun Apr  1 14:12:11 2001
Return-Path: <helix@zhukov.chaotical.ly>
Received: from zhukov.chaotical.ly (zhukov.chaotical.ly [208.11.244.15])
	by hub.freebsd.org (Postfix) with ESMTP id A1ED537B71B
	for <FreeBSD-gnats-submit@freebsd.org>; Sun,  1 Apr 2001 14:12:11 -0700 (PDT)
	(envelope-from helix@zhukov.chaotical.ly)
Received: by zhukov.chaotical.ly (Postfix, from userid 5001)
	id 208831936E; Sun,  1 Apr 2001 17:12:12 -0400 (EDT)
Message-Id: <20010401211212.208831936E@zhukov.chaotical.ly>
Date: Sun,  1 Apr 2001 17:12:12 -0400 (EDT)
From: thomas+freebsd@stromberg.org
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: IPFilter doesn't load module if ipfilter_enable is in rc.conf
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         26275
>Category:       conf
>Synopsis:       ipfilter_enable in rc.conf does not load kld
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    darrenr
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Apr 01 14:20:01 PDT 2001
>Closed-Date:    Tue Mar 26 02:10:30 PST 2002
>Last-Modified:  Tue Mar 26 02:10:30 PST 2002
>Originator:     Thomas Stromberg
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
Research Triangle Commerce, Inc. (ICC.net)
>Environment:
System: FreeBSD zhukov.chaotical.ly 5.0-CURRENT FreeBSD 5.0-CURRENT #3: Mon Mar 26 17:13:07 EST 2001 helix@zhukov.chaotical.ly:/usr/obj/usr/src/sys/GEORGI i386
FreeBSD grouper.aquarium.rtci.com 4.3-BETA FreeBSD 4.3-BETA #1: Thu Mar 15 18:09:40 EST 2001 tstromberg@grouper.aquarium.rtci.com:/usr/obj/usr/src/sys/GROUPER  i386
FreeBSD localhost 4.3-RC FreeBSD 4.3-RC #0: Thu Mar 29 22:51:39 CEST 2001 root@localhost:/usr/obj/usr/src/sys/GENERIC  i386
FreeBSD crackwhore.slush.ca 4.3-RC FreeBSD 4.3-RC #0: Sun Apr  1 14:34:52 MDT 2001     root@moo.powersurfr.com:/usr/src/sys/compile/booger2  i386

>Description:

ipfilter_enable and ipnat_enable in rc.conf is next to useless, because:

1) ipfilter_enable will only work if it's built into the kernel. Unlike
ipfw, it will not test to see if it's loaded, and load it's kernel module. This
definitely breaks 'principle of least suprise'. 

2) ipnat_enable will only work if /etc/ipf.rules exists. This assumption
does not work very well for people who are just setting up a basic NAT, and
don't need to (yet) set up any firewalling.

This is definitely a big support problem on the IRC channels. The patch
included fixes both of these problems. I'd love to see this committed for
4.3-RELEASE, to save on all the confusion we have in #FreeBSDhelp.

>How-To-Repeat:
	set ipfilter_enable="YES" in /etc/rc.conf. Reboot. Run kldstat, you
will see that the ipl module is not loaded. Even if you do have it in your
kernel, ipnat will not enable without ipf.rules.

>Fix:

This patch applies cleanly to 4.3-RC, and 5.0-CURRENT

--- /usr/src/etc/rc.network	Tue Mar 20 17:52:05 2001
+++ rc.network	Sun Apr  1 16:15:04 2001
@@ -62,10 +62,30 @@
 	#
 	case "${ipfilter_enable}" in
 	[Yy][Ee][Ss])
-		if [ -r "${ipfilter_rules}" ]; then
-			echo -n ' ipfilter';
-			${ipfilter_program:-/sbin/ipf -Fa -f} \
-			    "${ipfilter_rules}" ${ipfilter_flags}
+		# Some hackery to get just the bare program name.
+		ipfilter_binary=`echo ${ipfilter_program} | cut -d" " -f1`
+
+		if ${ipfilter_binary} -Z > /dev/null 2>&1; then
+			ipf_loaded=1
+		else
+			if kldload ipl > /dev/null; then
+				ipf_loaded=1
+				echo 'IPFilter module loaded'
+			else
+				echo 'Warning: IPFilter kernel module failed to load'
+			fi
+		fi
+
+		if [ ${ipf_loaded} ]; then
+			if [ -r "${ipfilter_rules}" ]; then
+				echo -n ' ipfilter';
+				${ipfilter_program:-/sbin/ipf -Fa -f} \
+				    "${ipfilter_rules}" ${ipfilter_flags}
+			else
+				ipfilter_enable="NO"
+				echo -n ' NO IPF RULES'
+			fi
+
 			case "${ipmon_enable}" in
 			[Yy][Ee][Ss])
 				echo -n ' ipmon'
@@ -83,9 +103,6 @@
 				fi
 				;;
 			esac
-		else
-			ipfilter_enable="NO"
-			echo -n ' NO IPF RULES'
 		fi
 		;;
 	esac
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->darrenr 
Responsible-Changed-By: dd 
Responsible-Changed-When: Sat Apr 28 19:20:56 PDT 2001 
Responsible-Changed-Why:  
Over to IPFilter maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=26275 
State-Changed-From-To: open->feedback 
State-Changed-By: guido 
State-Changed-When: Wed Nov 14 14:20:58 MET 2001 
State-Changed-Why:  
Arjan de Vet and Doug Barton have made patches to the FreeBSD rc system 
that should solve all of the known problems with IPFilter. 
Current and stable patches are available at the URL underneath. 
Please be so kind to: 
1) Test the patches if they do work for you 
2) mail your feedback to Arjan de Vet (devet@devet.org) 
3) If al is worked out and Arjan has the patches committed, please 
update the PR. 

Url: 
http://home.iae.nl/users/devet/freebsd/ 


http://www.FreeBSD.org/cgi/query-pr.cgi?pr=26275 
State-Changed-From-To: feedback->closed 
State-Changed-By: darrenr 
State-Changed-When: Tue Mar 26 02:09:50 PST 2002 
State-Changed-Why:  
this problem has been resolved in -current 

http://www.freebsd.org/cgi/query-pr.cgi?pr=26275 
>Unformatted:
