From sts@FreeBSD.org  Thu May  3 16:25:34 2001
Return-Path: <sts@FreeBSD.org>
Received: from pille1.addcom.de (pille1.addcom.de [62.96.128.35])
	by hub.freebsd.org (Postfix) with SMTP id 352AB37B422
	for <freebsd-gnats-submit@freebsd.org>; Thu,  3 May 2001 16:25:34 -0700 (PDT)
	(envelope-from sts@FreeBSD.org)
Received: (qmail 14492 invoked from network); 3 May 2001 23:25:32 -0000
Received: from n-dialin-1610.addcom.de (HELO sts-home.stadtbuch.de) (62.246.9.178)
  by pille1.addcom.de with SMTP; 3 May 2001 23:25:32 -0000
Received: (from root@localhost)
	by sts-home.stadtbuch.de (8.11.3/8.11.3) id f43NQ5a21153
	for freebsd-gnats-submit@freebsd.org; Fri, 4 May 2001 01:26:05 +0200 (CEST)
	(envelope-from sts)
Received: (from sts@localhost)
	by sts-home.stadtbuch.de (8.11.3/8.11.3av) id f43NQ0c21144;
	Fri, 4 May 2001 01:26:00 +0200 (CEST)
	(envelope-from sts)
Message-Id: <200105032326.f43NQ0c21144@sts-home.stadtbuch.de>
Date: Fri, 4 May 2001 01:26:00 +0200 (CEST)
From: stefan.schmidt@twest.de
Reply-To: stefan.schmidt@twest.de
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: save/restore IP Filter's state tables at shutdown/reboot (patch)
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         27070
>Category:       conf
>Synopsis:       save/restore IP Filter's state tables at shutdown/reboot (patch)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    darrenr
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu May 03 16:30:03 PDT 2001
>Closed-Date:    Tue Mar 26 02:04:16 PST 2002
>Last-Modified:  Tue Mar 26 02:04:16 PST 2002
>Originator:     Stefan Schmidt
>Release:        FreeBSD 4.3-RC i386
>Organization:
>Environment:
System: FreeBSD sts-home.stadtbuch.de 4.3-RC FreeBSD 4.3-RC #0: Tue Apr 17 23:28:43 CEST 2001 root@sts-home.stadtbuch.de:/usr/obj/usr/src/sys/STSHOME i386

applies to both RELENG_4 and CURRENT.
>Description:
IP Filter's utility program "ipfs" is supposed to save and restore IP
Filter's internal state tables. By saving state tables at shutdown and
restoring them at boot-time, already established connections aren't
disconnected (or hang, depending on your rules).

>How-To-Repeat:
(new functionality, thus no How-To-Repeat)
>Fix:

I've added a few new configuration parameters (ipfs_*) to 
etc/defaults/rc.conf that maybe overridden in etc/rc.conf:
ipfs_enable, ipfs_flags, ipfs_program.

The attached patches (against RELENG_4, but should also 
apply to CURRENT) also modify rc.network for restoring
the state tables at boot-time. rc.shutdown saves the tables
at shutdown-time. (is there a better place to put this?)

Directory db/ipf was added to etc/mtree.var.dist.

rc.conf(5) isn't ready yet but I'll happily provide patches to
anyone who wants to commit this functionality.

Note that PR bin/27063 (/sbin/ipfs missing) is a prerequisit.

Index: rc.network
===================================================================
RCS file: /home/cvs/src/etc/rc.network,v
retrieving revision 1.74.2.14
diff -u -r1.74.2.14 rc.network
--- rc.network	2001/03/06 02:21:59	1.74.2.14
+++ rc.network	2001/05/03 21:23:58
@@ -71,6 +71,15 @@
 				fi
 				;;
 			esac
+			case "${ipfs_enable}" in
+			[Yy][Ee][Ss])
+				if [ -r "/var/db/ipf/ipstate.ipf" ]; then
+					echo -n ' ipfs';
+					eval ${ipfs_program:-/sbin/ipfs -R} \
+						${ipfs_flags}
+				fi
+				;;
+			esac
 		else
 			ipfilter_enable="NO"
 			echo -n ' NO IPF RULES'
Index: rc.shutdown
===================================================================
RCS file: /home/cvs/src/etc/rc.shutdown,v
retrieving revision 1.4.2.9
diff -u -r1.4.2.9 rc.shutdown
--- rc.shutdown	2001/03/12 13:29:24	1.4.2.9
+++ rc.shutdown	2001/05/03 21:24:37
@@ -83,6 +83,17 @@
 	;;
 esac
 
+# Save IP Filter state tables
+
+case ${ipfs_enable} in
+[Yy][Ee][Ss])
+	echo -n 'Saving IP Filter state tables:'
+	eval ${ipfs_program:-/sbin/ipfs -W} ${ipfs_flags}
+	;;
+esac
+
+echo .
+
 # Insert other shutdown procedures here
 
 echo '.'
Index: defaults/rc.conf
===================================================================
RCS file: /home/cvs/src/etc/defaults/rc.conf,v
retrieving revision 1.53.2.21
diff -u -r1.53.2.21 rc.conf
--- defaults/rc.conf	2001/03/19 09:33:59	1.53.2.21
+++ defaults/rc.conf	2001/05/03 21:26:50
@@ -69,6 +69,10 @@
 ipnat_program="/sbin/ipnat -CF -f" # program and how to specify rules file
 ipnat_rules="/etc/ipnat.rules"	# rules definition file for ipnat
 ipnat_flags=""			# additional flags for ipnat
+ipfs_enable="YES"		# Set to YES to enable saving and restoring 
+				# of state tables at shutdown and boot
+ipfs_flags=""			# additional flags for ipfs
+ipfs_program="/sbin/ipfs"	# where the ipfs program lives
 ipmon_enable="NO"		# Set to YES for ipmon; needs ipfilter, too!
 ipmon_program="/sbin/ipmon"	# where the ipfilter monitor program lives
 ipmon_flags="-Ds"		# typically "-Ds" or "-D /var/log/ipflog"
Index: mtree/BSD.var.dist
===================================================================
RCS file: /home/cvs/src/etc/mtree/BSD.var.dist,v
retrieving revision 1.43.2.1
diff -u -r1.43.2.1 BSD.var.dist
--- mtree/BSD.var.dist	2001/03/05 11:59:02	1.43.2.1
+++ mtree/BSD.var.dist	2001/05/03 22:50:30
@@ -26,6 +26,8 @@
     ..
 /set mode=0755
     db
+        ipf
+        ..
         pkg
         ..
     ..
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->darrenr 
Responsible-Changed-By: roam 
Responsible-Changed-When: Thu May 3 22:53:43 PDT 2001 
Responsible-Changed-Why:  
Over to the maintainer (and author) of the IPFilter suite. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=27070 
State-Changed-From-To: open->feedback 
State-Changed-By: darrenr 
State-Changed-When: Fri Oct 19 21:33:18 PDT 2001 
State-Changed-Why:  
these changes have been applied to -current. 

updates for rc.conf and rc.conf(5) would be appreciated. 


http://www.FreeBSD.org/cgi/query-pr.cgi?pr=27070 

From: Guido van Rooij <guido@mouse.gvr.org>
To: freebsd-gnats-submit@FreeBSD.org, stefan.schmidt@twest.de
Cc:  
Subject: Re:  conf/27070: save/restore IP Filter's state tables at shutdown/reboot (patch)
Date: Wed, 14 Nov 2001 14:35:26 +0100

 Arjan de Vet and Doug Barton have made patches to the FreeBSD rc system
 that should solve all of the known problems with IPFilter.
 Current and stable patches are available at the URL underneath.
 Please be so kind to:
 1) Test the patches if they do work for you
 2) mail your feedback to Arjan de Vet (devet@devet.org)
 3) If al is worked out and Arjan has the patches committed, please
 update the PR.
 
 Url:
 http://home.iae.nl/users/devet/freebsd/
 
State-Changed-From-To: feedback->closed 
State-Changed-By: darrenr 
State-Changed-When: Tue Mar 26 02:02:52 PST 2002 
State-Changed-Why:  
the patches for this change have been integrated. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=27070 
>Unformatted:
