From nobody@FreeBSD.org  Sun Mar 13 03:18:14 2005
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9B11D16A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 13 Mar 2005 03:18:14 +0000 (GMT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 75F6843D3F
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 13 Mar 2005 03:18:14 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id j2D3IEMR087533
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 13 Mar 2005 03:18:14 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id j2D3IE3Z087532;
	Sun, 13 Mar 2005 03:18:14 GMT
	(envelope-from nobody)
Message-Id: <200503130318.j2D3IE3Z087532@www.freebsd.org>
Date: Sun, 13 Mar 2005 03:18:14 GMT
From: Jonathan Wallace <jonw@whoweb.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: /etc/rc.d/ipfw should excecute $firewall_script not read it
X-Send-Pr-Version: www-2.3

>Number:         78762
>Category:       conf
>Synopsis:       [ipfw] [patch] /etc/rc.d/ipfw should excecute $firewall_script not read it
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ipfw
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Mar 13 03:20:01 GMT 2005
>Closed-Date:    Tue May 15 09:41:11 GMT 2007
>Last-Modified:  Tue Jun 19 06:10:03 GMT 2007
>Originator:     Jonathan Wallace
>Release:        5.3-RELEASE
>Organization:
>Environment:
FreeBSD wallace 5.3-RELEASE FreBSD 5.3-RELEASE #3: Feb 27 23:03:55 EST 2005 root@wallace:/usr/obj/usr/src/sys/WALLACE i386
>Description:
/etc/rc.d/ipfw has been coded with the command '. "${firewall_script}"'
and fails to complete successfully if firewall_script contains an "exit"
statement.  Given that it is common, not to mention good coding practice,
to utilize an "exit" when finishing execution of a program, the
/etc/rc.d/ipfw script should execute firewall_script by calling it with
a path instead of using the shell "." command to read the file.
>How-To-Repeat:
1) Configure a multi-homed system with ipfw and natd
2) Create a shell script (/etc/myfwscript) with a small set of firewall rules.  At the end of the file make sure you include an "exit" statement.
3) Add firewall_script="myfwscript" to /etc/rc.conf
4) Make sure your natd definitions are set up correctly in /etc/rc.conf
5) Restart your machine and check to see if natd is running.  It won't be.
6) Re-edit /etc/myfwscript and remove the "exit" statement.
7) Restart your machine and check to see if natd is running.  It will be.
>Fix:
In /etc/rc.d/ipfw:
change
. "$firewall_script"
to
$firewall_script
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-i386->freebsd-bugs 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Tue Apr 12 00:49:17 GMT 2005 
Responsible-Changed-Why:  
This is not i386-specific. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=78762 
Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Mon Oct 24 05:10:01 GMT 2005 
Responsible-Changed-Why:  
Over to mailing list for review. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=78762 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: conf/78762: commit references a PR
Date: Mon,  2 Apr 2007 15:39:04 +0000 (UTC)

 mtm         2007-04-02 15:38:53 UTC
 
   FreeBSD src repository
 
   Modified files:
     etc/rc.d             ip6fw ipfw 
   Log:
   Instead of directly sourcing the firewall script, run it in a separate shell.
   If the firewall script is sourced directly from the script, then any
   exit statements in it will also terminate the rc.d script prematurely.
   
   PR: conf/78762
   MFC-After: 2 weeks
   
   Revision  Changes    Path
   1.9       +1 -1      src/etc/rc.d/ip6fw
   1.15      +1 -1      src/etc/rc.d/ipfw
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->patched 
State-Changed-By: mtm 
State-Changed-When: Mon Apr 2 15:40:10 UTC 2007 
State-Changed-Why:  
Patched in -CURRENT. 
MFC-After: 2 weeks 

http://www.freebsd.org/cgi/query-pr.cgi?pr=78762 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: conf/78762: commit references a PR
Date: Tue, 15 May 2007 09:18:30 +0000 (UTC)

 mtm         2007-05-15 09:18:25 UTC
 
   FreeBSD src repository
 
   Modified files:        (Branch: RELENG_6)
     etc/rc.d             ip6fw ipfw 
   Log:
   MFC: revision 1.9 of rc.d/ip6fw and 1.15 of rc.d/ipfw
   
   date: 2007/04/02 15:38:53;  author: mtm;  state: Exp;  lines: +1 -1
   Instead of directly sourcing the firewall script, run it in a separate shell.
   If the firewall script is sourced directly from the script, then any
   exit statements in it will also terminate the rc.d script prematurely.
   
   PR: conf/78762
   
   Revision  Changes    Path
   1.6.2.1   +1 -1      src/etc/rc.d/ip6fw
   1.10.2.4  +1 -1      src/etc/rc.d/ipfw
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: mtm 
State-Changed-When: Tue May 15 09:39:36 UTC 2007 
State-Changed-Why:  
MFC'ed to RELENG_6 

http://www.freebsd.org/cgi/query-pr.cgi?pr=78762 

From: Sean McNeil <sean@mcneil.com>
To: bug-followup@FreeBSD.org, jonw@whoweb.com
Cc:  
Subject: Re: conf/78762: [ipfw] [patch] /etc/rc.d/ipfw should excecute
	$firewall_script not read it
Date: Mon, 18 Jun 2007 17:05:45 -0700

 This is a bad idea and has broken the new feature of rcNG allowing us to
 place options into /etc/rc.conf.d/ipfw and /etc/rc.conf.d/ip6fw.  The
 commit to src/etc/rc.d/ipfw revision 1.15 and src/etc/rc.d/ip6fw 1.9
 have now broken this basic concept.
 
 IMHO, the correct thing is: Don't use exit in your firewall script.  I
 offer 3 solutions, however, below.
 
 What has been broken:
 
 /etc/rc.conf.d/ipfw
 	firewall_enable="YES"
 	firewall_type="/etc/fw/rc.firewall.rules"
 
 /etc/rc.conf.d/ip6fw
 	ipv6_firewall_enable="YES"
 	ipv6_firewall_type="/etc/fw/rc.firewall6.rules"
 
 Now, this no longer works and I must once again pollute and move more
 stuff back into /etc/rc.conf.  Namely,
 
 	firewall_type="/etc/fw/rc.firewall.rules"
 	ipv6_firewall_type="/etc/fw/rc.firewall6.rules"
 
 must now be in /etc/rc.conf or /etc/rc.conf.local.
 
 Solution:
 
 1) revert to sourcing the rc.firewall script.
 2) Fix rc.firewall and rc.firewall6 to somehow get stuff
 from /etc/rc.conf.d as it should (as ipfw and ip6fw?).
 3) completely remove rc.conf.d support as more things fail to work with
 it.
 
 

From: jonw@whoweb.com
To: "Sean McNeil" <sean@mcneil.com>
Cc: bug-followup@freebsd.org, jonw@whoweb.com
Subject: Re: conf/78762: [ipfw] [patch] /etc/rc.d/ipfw should excecute 
     $firewall_script not read it
Date: Tue, 19 Jun 2007 01:12:57 -0400 (EDT)

 Sourcing is intended to be used like "#include" for including libraries of
 functions and variable assignments, not running "scripts" that are
 intended to be executed. The fact that the shell executes code that is
 sourced, doesn't make it correct policy to use it as such and is
 indicative of someone finding a loophole for supporting /etc/rc.conf.d but
 forgetting the basics of real programming.
 
 Only the simplest of scripts will survive being sourced.  Anyone who tries
 to build a complex script to support numerous conditions and branches is
 going to assume they can use an exit statement if they require one.  I
 did.  You can't call something a script and not support exiting, and
 suggesting to simply not use exit is the reason that we are discussing
 this now.  Not using exit suits your requirements for including options
 from /etc/rc.conf.d fine, but doesn't suit my needs to actually execute a
 script that has conditions and branches based upon various OS
 configurations and from which I might need to exit immediately if certain
 conditions are met.
 
 It's wrong to call something a script (ie firewall_script) and treat it
 like an include file, so reverting to the previous functionality is not
 the correct solution.  I must be missing something regarding your
 variables from rc.conf.d/ipfw not being included in the ipfw script.  The
 load_rc_config routine looks for /etc/rc.conf.d/ipfw and sources that in
 before executing the startup code.  Executing or sourcing firewall_script
 shouldn't have any impact on the rc.conf.d/ipfw variables.
 
 It sounds to me like the correct solution is to support both includes and
 executables.  That can be done a couple of ways, maybe more.
 
 1) If firewall_script is defined, execute it.  If firewall_include is
 defined, source it.
 
 2) Check the mode of firewall_script.  If it's executable, execute it.  If
 it's not executable, source it.
 
 Jon
 
 
 > This is a bad idea and has broken the new feature of rcNG allowing us to
 > place options into /etc/rc.conf.d/ipfw and /etc/rc.conf.d/ip6fw.  The
 > commit to src/etc/rc.d/ipfw revision 1.15 and src/etc/rc.d/ip6fw 1.9
 > have now broken this basic concept.
 >
 > IMHO, the correct thing is: Don't use exit in your firewall script.  I
 > offer 3 solutions, however, below.
 >
 > What has been broken:
 >
 > /etc/rc.conf.d/ipfw
 > 	firewall_enable="YES"
 > 	firewall_type="/etc/fw/rc.firewall.rules"
 >
 > /etc/rc.conf.d/ip6fw
 > 	ipv6_firewall_enable="YES"
 > 	ipv6_firewall_type="/etc/fw/rc.firewall6.rules"
 >
 > Now, this no longer works and I must once again pollute and move more
 > stuff back into /etc/rc.conf.  Namely,
 >
 > 	firewall_type="/etc/fw/rc.firewall.rules"
 > 	ipv6_firewall_type="/etc/fw/rc.firewall6.rules"
 >
 > must now be in /etc/rc.conf or /etc/rc.conf.local.
 >
 > Solution:
 >
 > 1) revert to sourcing the rc.firewall script.
 > 2) Fix rc.firewall and rc.firewall6 to somehow get stuff
 > from /etc/rc.conf.d as it should (as ipfw and ip6fw?).
 > 3) completely remove rc.conf.d support as more things fail to work with
 > it.
 >
 >
 >
 
 

From: Sean McNeil <sean@mcneil.com>
To: jonw@whoweb.com
Cc: bug-followup@freebsd.org
Subject: Re: conf/78762: [ipfw] [patch] /etc/rc.d/ipfw should excecute 
	$firewall_script not read it
Date: Mon, 18 Jun 2007 23:02:21 -0700

 On Tue, 2007-06-19 at 01:12 -0400, jonw@whoweb.com wrote:
 > Sourcing is intended to be used like "#include" for including libraries of
 > functions and variable assignments, not running "scripts" that are
 > intended to be executed. The fact that the shell executes code that is
 > sourced, doesn't make it correct policy to use it as such and is
 > indicative of someone finding a loophole for supporting /etc/rc.conf.d but
 > forgetting the basics of real programming.
 > 
 > Only the simplest of scripts will survive being sourced.  Anyone who tries
 > to build a complex script to support numerous conditions and branches is
 > going to assume they can use an exit statement if they require one.  I
 > did.  You can't call something a script and not support exiting, and
 > suggesting to simply not use exit is the reason that we are discussing
 > this now.  Not using exit suits your requirements for including options
 > from /etc/rc.conf.d fine, but doesn't suit my needs to actually execute a
 > script that has conditions and branches based upon various OS
 > configurations and from which I might need to exit immediately if certain
 > conditions are met.
 > 
 > It's wrong to call something a script (ie firewall_script) and treat it
 > like an include file, so reverting to the previous functionality is not
 > the correct solution.  I must be missing something regarding your
 > variables from rc.conf.d/ipfw not being included in the ipfw script.  The
 > load_rc_config routine looks for /etc/rc.conf.d/ipfw and sources that in
 > before executing the startup code.  Executing or sourcing firewall_script
 > shouldn't have any impact on the rc.conf.d/ipfw variables.
 > 
 > It sounds to me like the correct solution is to support both includes and
 > executables.  That can be done a couple of ways, maybe more.
 > 
 > 1) If firewall_script is defined, execute it.  If firewall_include is
 > defined, source it.
 > 
 > 2) Check the mode of firewall_script.  If it's executable, execute it.  If
 > it's not executable, source it.
 > 
 > Jon
 
 Thank you, Jon.  I like your suggestion.  Indeed, having something named
 _script and sourcing it would be misleading.  The problem is that when
 you execute the script you lose all assignments made in /etc/rc.d/ipfw
 and /etc/rc.firewall only sources /etc/rc.conf and /etc/rc.conf.local.
 
 Actually, I think your suggestion should have been applied and
 firewall_script should have been executed without forcing the shell with
 the /bin/sh or ".". That way you can direct which shell to use in the
 script (#!/bin/sh, #!/bin/csh) or in the assignment of $firewall_script
 and the default could be changed from "/etc/rc.firewall" to
 ". /etc/rc.firewall".  Except then something would have to be done with
 the -z and -r tests, so that wouldn't quite work as is.
 
 Funny how such a little thing can become so complicated.
 
 If I understand you correctly about read vs. execute, it should look
 something like
 
                 if [ -x "${firewall_script}" ]; then
                         "${firewall_script}"
                 else
                         . "${firewall_script}"
                 fi
 
 This would restore the rcNG /etc/rc.conf.d/ipfw setting ability and
 allow you to use the shell of your choosing.
 
 > 
 > > This is a bad idea and has broken the new feature of rcNG allowing us to
 > > place options into /etc/rc.conf.d/ipfw and /etc/rc.conf.d/ip6fw.  The
 > > commit to src/etc/rc.d/ipfw revision 1.15 and src/etc/rc.d/ip6fw 1.9
 > > have now broken this basic concept.
 > >
 > > IMHO, the correct thing is: Don't use exit in your firewall script.  I
 > > offer 3 solutions, however, below.
 > >
 > > What has been broken:
 > >
 > > /etc/rc.conf.d/ipfw
 > > 	firewall_enable="YES"
 > > 	firewall_type="/etc/fw/rc.firewall.rules"
 > >
 > > /etc/rc.conf.d/ip6fw
 > > 	ipv6_firewall_enable="YES"
 > > 	ipv6_firewall_type="/etc/fw/rc.firewall6.rules"
 > >
 > > Now, this no longer works and I must once again pollute and move more
 > > stuff back into /etc/rc.conf.  Namely,
 > >
 > > 	firewall_type="/etc/fw/rc.firewall.rules"
 > > 	ipv6_firewall_type="/etc/fw/rc.firewall6.rules"
 > >
 > > must now be in /etc/rc.conf or /etc/rc.conf.local.
 > >
 > > Solution:
 > >
 > > 1) revert to sourcing the rc.firewall script.
 > > 2) Fix rc.firewall and rc.firewall6 to somehow get stuff
 > > from /etc/rc.conf.d as it should (as ipfw and ip6fw?).
 > > 3) completely remove rc.conf.d support as more things fail to work with
 > > it.
 > >
 > >
 > >
 > 
 > 
 > 
 
>Unformatted:
