From dbushong@bushong.net  Mon May 15 18:12:43 2006
Return-Path: <dbushong@bushong.net>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9608216B20F
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 15 May 2006 18:12:43 +0000 (UTC)
	(envelope-from dbushong@bushong.net)
Received: from bushong.net (bushong.net [216.36.66.245])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3FEA043DBD
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 15 May 2006 18:11:52 +0000 (GMT)
	(envelope-from dbushong@bushong.net)
Received: from firebat.davedawn.net (dbushong@localhost [127.0.0.1])
	by bushong.net (8.13.4/8.13.4) with ESMTP id k4FIBoBB079218
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 15 May 2006 11:11:50 -0700 (PDT)
	(envelope-from dbushong@firebat.davedawn.net)
Received: (from dbushong@localhost)
	by firebat.davedawn.net (8.13.4/8.13.4/Submit) id k4FIBoqZ079216;
	Mon, 15 May 2006 11:11:50 -0700 (PDT)
	(envelope-from dbushong)
Message-Id: <200605151811.k4FIBoqZ079216@firebat.davedawn.net>
Date: Mon, 15 May 2006 11:11:50 -0700 (PDT)
From: David Bushong <david@bushong.net>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: /etc/rc.d/ipfilter reload can load bad files
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         97311
>Category:       conf
>Synopsis:       [patch] /etc/rc.d/ipfilter reload can load bad files
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    ceri
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon May 15 18:20:14 GMT 2006
>Closed-Date:    Sun Dec 31 17:55:30 GMT 2006
>Last-Modified:  Sun Dec 31 18:00:28 GMT 2006
>Originator:     David Bushong
>Release:        FreeBSD 5.5-PRERELEASE i386
>Organization:
>Environment:
System: FreeBSD firebat.bushong.net 5.5-PRERELEASE FreeBSD 5.5-PRERELEASE #0: Wed Mar 8 00:10:26 PST 2006 dbushong@firebat.bushong.net:/export/obj/export/src/sys/FIREBAT i386


	arch-independent
>Description:
	If you write a broken /etc/ipf.rules, and run /etc/rc.d/ipfilter reload,
	it will load the bad file into the inactive ruleset, ignore the error,
	and swap your sets, breaking your firewall
>How-To-Repeat:
	# echo oops >> /etc/ipf.rules
	# /etc/rc.d/ipfilter reload
>Fix:
*** /usr/src/etc/rc.d/ipfilter	Sun Oct 10 02:50:53 2004
--- ipfilter	Mon May 15 11:06:45 2006
***************
*** 94,97 ****
--- 94,100 ----
  		${ipfilter_program:-/sbin/ipf} -I \
  		    -f "${ipfilter_rules}" ${ipfilter_flags}
+ 		if [ $? -ne 0 ]; then
+ 			err 1 "rules load failed; aborting reload"
+ 		fi
  	fi
  	${ipfilter_program:-/sbin/ipf} -I -6 -Fa
***************
*** 99,102 ****
--- 102,108 ----
  		${ipfilter_program:-/sbin/ipf} -I -6 \
  		    -f "${ipv6_ipfilter_rules}" ${ipfilter_flags}
+ 		if [ $? -ne 0 ]; then
+ 			err 1 "ipv6 rules load failed; aborting reload"
+ 		fi
  	fi
  	${ipfilter_program:-/sbin/ipf} -s
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-rc 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Thu Jun 29 00:24:24 UTC 2006 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=97311 
State-Changed-From-To: open->patched 
State-Changed-By: ceri 
State-Changed-When: Sat Nov 11 10:49:05 UTC 2006 
State-Changed-Why:  
Patched in -HEAD, thanks. 


Responsible-Changed-From-To: freebsd-rc->ceri 
Responsible-Changed-By: ceri 
Responsible-Changed-When: Sat Nov 11 10:49:05 UTC 2006 
Responsible-Changed-Why:  
Patched in -HEAD, thanks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=97311 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: conf/97311: commit references a PR
Date: Sat, 11 Nov 2006 10:48:58 +0000 (UTC)

 ceri        2006-11-11 10:48:34 UTC
 
   FreeBSD src repository
 
   Modified files:
     etc/rc.d             ipfilter 
   Log:
   Ensure that the load of rules into the alternate ruleset worked before
   loading them into the live one too.
   
   PR:             conf/97311
   Submitted by:   David Bushong
   Reviewed by:    silence on rc@
   Approved by:    ru (mentor)
   MFC after:      10 days
   
   Revision  Changes    Path
   1.25      +6 -0      src/etc/rc.d/ipfilter
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: conf/97311: commit references a PR
Date: Sun, 31 Dec 2006 17:49:46 +0000 (UTC)

 ceri        2006-12-31 17:49:38 UTC
 
   FreeBSD src repository
 
   Modified files:        (Branch: RELENG_6)
     etc/rc.d             ipfilter 
   Log:
   MFC revision 1.25:
     Ensure that the load of rules into the alternate ruleset worked before
     loading them into the live one too.
   
   PR:             conf/97311
   Approved by:    ru
   
   Revision  Changes    Path
   1.24.2.1  +6 -0      src/etc/rc.d/ipfilter
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: ceri 
State-Changed-When: Sun Dec 31 17:54:52 UTC 2006 
State-Changed-Why:  
MFC'd to RELENG_6 and RELENG_5; thanks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=97311 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: conf/97311: commit references a PR
Date: Sun, 31 Dec 2006 17:54:48 +0000 (UTC)

 ceri        2006-12-31 17:54:41 UTC
 
   FreeBSD src repository
 
   Modified files:        (Branch: RELENG_5)
     etc/rc.d             ipfilter 
   Log:
   MFC revision 1.25:
     Ensure that the load of rules into the alternate ruleset worked before
     loading them into the live one too.
   
   PR:             conf/97311
   Approved by:    ru
   
   Revision  Changes    Path
   1.21.2.2  +6 -0      src/etc/rc.d/ipfilter
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
>Unformatted:
