From axel@axel.truedestiny.net  Wed Mar 11 18:16:29 2009
Return-Path: <axel@axel.truedestiny.net>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 357E21065695
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 11 Mar 2009 18:16:29 +0000 (UTC)
	(envelope-from axel@axel.truedestiny.net)
Received: from taliesin.thuis.net (tunnel3416.ipv6.xs4all.nl [IPv6:2001:888:10:d58::2])
	by mx1.freebsd.org (Postfix) with ESMTP id A12EE8FC2C
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 11 Mar 2009 18:16:28 +0000 (UTC)
	(envelope-from axel@axel.truedestiny.net)
Received: from taliesin.thuis.net (localhost [127.0.0.1])
	by taliesin.thuis.net (8.14.3/8.14.3) with ESMTP id n2BIGQgY023610
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Wed, 11 Mar 2009 19:16:26 +0100 (CET)
	(envelope-from axel@taliesin.thuis.net)
Received: (from root@localhost)
	by taliesin.thuis.net (8.14.3/8.14.3/Submit) id n2BIGQfb023609;
	Wed, 11 Mar 2009 19:16:26 +0100 (CET)
	(envelope-from axel)
Message-Id: <200903111816.n2BIGQfb023609@taliesin.thuis.net>
Date: Wed, 11 Mar 2009 19:16:26 +0100 (CET)
From: axel@axel.truedestiny.net
Reply-To: axel@axel.truedestiny.net
To: FreeBSD-gnats-submit@freebsd.org
Subject: There is no ippool start script/ipfilter magic to load them
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         132554
>Category:       kern
>Synopsis:       [ipfilter] There is no ippool start script/ipfilter magic to load them
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    cy
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Mar 11 18:20:00 UTC 2009
>Closed-Date:    
>Last-Modified:  Wed Jul 03 05:21:35 UTC 2013
>Originator:     
>Release:        FreeBSD 7.1-RELEASE-p3 i386
>Organization:
Private home user
>Environment:
System: FreeBSD taliesin.thuis.net 7.1-RELEASE-p3 FreeBSD 7.1-RELEASE-p3 #1: Tue Feb 17 14:34:30 CET 2009 axel@awen.thuis.net:/usr/obj/usr/src/sys/TALIESIN i386
>Description:
When using IPFilter there is a way to store ip pools, sort of like pf tables, 
in a configuration file (/etc/ippool.conf) which you can use in your ruleset.
See manpages for ippool for details.

These pools should be loaded before the ruleset but there is no /etc/rc.d/ippool
or magic in /etc/rc.d/ipfilter to do so, I've created this small quick 'n dirty
diff for /etc/rc.d/ipfilter, I don't know if it's better to include a seperate
startup script since these pools are kind of static, you can't edit them on the
fly without having to reload ipfilter anyway. :(

--- ipfilter.orig       2009-03-11 16:31:53.000000000 +0100
+++ ipfilter    2009-03-11 16:34:51.000000000 +0100
@@ -33,6 +33,11 @@
        if [ `sysctl -n net.inet.ipf.fr_running` -le 0 ]; then
                ${ipfilter_program:-/sbin/ipf} -E
        fi
+        # load ippools if needed
+        if [ -f /etc/ippool.conf ]; then 
+            /sbin/ippool -F
+            /sbin/ippool -f /etc/ippool.conf
+        fi
        ${ipfilter_program:-/sbin/ipf} -Fa
        if [ -r "${ipfilter_rules}" ]; then
                ${ipfilter_program:-/sbin/ipf} \


>How-To-Repeat:
create an ip pool in /etc/ippool.conf, use it in your ipfilter rules and see
they're not loaded.

>Fix:
Either fiddle in the magic in /etc/rc.d/ipfilter or provide an /etc/rc.d/ippool

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Thu Mar 12 06:23:39 UTC 2009 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=132554 

From: Jason Loretz <jl@coastallighthouse.com>
To: bug-followup@FreeBSD.org, axel@axel.truedestiny.net
Cc:  
Subject: Re: kern/132554: [ipl] There is no ippool start script/ipfilter magic to load them
Date: Fri, 4 Dec 2009 23:10:12 -0500

 The ippools feature is quite useful and would be nice to have automatically start with the IPF startup script (as part of FreeBSD rather than a system administrator insert/tweek). The actual functionality already exists in the current 7.1 release and just needs hooks to properly startup and reload/flush configurations in sync with ipfilter. This functionality appears that it should reside in the ipfilter rc.d script since ippools will not work until "ipf -E" has been executed but also needs to be configure d previous to the "ipf -f" commands. Therefore I submit these diffs as a possible solution, which will provide the appropriate rc.conf options and modifications to rc.d/ipfilter to make it load and flush in the correct places during the ipf configuration. I took a stab, but needs work, at modifications to the firewall handbook page to include information on ippools. This no doubt will need some work if it can be included.
 
 Thanks, Jason
 
 --- rc.conf.diff begins here ---
 --- /usr/src/etc/defaults/rc.conf	2008-11-24 21:59:29.000000000 -0500
 +++ /etc/defaults/rc.conf	2009-11-30 20:43:10.000000000 -0500
 @@ -152,6 +152,12 @@
  ipfilter_rules="/etc/ipf.rules"	# rules definition file for ipfilter, see
  				# /usr/src/contrib/ipfilter/rules for examples
  ipfilter_flags=""		# additional flags for ipfilter
 +ipfilter_ippool_enable="NO"	# Set to YES to enable ippool functionality
 +ippool_program="/sbin/ippool"	# where the ippool program lives
 +ippool_rules="/etc/ippool.conf"	# rules definition file for ippool, see     
 +				# /usr/src/contrib/ipfilter/rules/pool.conf
 +				# for example
 +ippool_flags=""			# additional flags for ippool
  ipnat_enable="NO"		# Set to YES to enable ipnat functionality
  ipnat_program="/sbin/ipnat"	# where the ipnat program lives
  ipnat_rules="/etc/ipnat.rules"	# rules definition file for ipnat
 --- rc.conf.diff ends here ---
 
 --- ipfilter.diff begins here --- 
 --- /usr/src/etc/rc.d/ipfilter	2008-11-24 21:59:29.000000000 -0500
 +++ /etc/rc.d/ipfilter	2009-12-01 09:19:43.000000000 -0500
 @@ -33,6 +33,14 @@
  	if [ `sysctl -n net.inet.ipf.fr_running` -le 0 ]; then
  		${ipfilter_program:-/sbin/ipf} -E
  	fi
 +	if checkyesno ipfilter_ippool_enable; then
 +		if [ -r "${ippool_rules}" ]; then
 +			echo "Loading ippool rules."
 +			${ippool_program:-/sbin/ippool} \
 +			    -f "${ippool_rules}" ${ippool_flags}
 +		fi
 +	fi
 +	echo "Loading ipfilter rules."
  	${ipfilter_program:-/sbin/ipf} -Fa
  	if [ -r "${ipfilter_rules}" ]; then
  		${ipfilter_program:-/sbin/ipf} \
 @@ -58,8 +66,16 @@
  
  ipfilter_reload()
  {
 -	echo "Reloading ipfilter rules."
 +	if checkyesno ipfilter_ippool_enable; then
 +		if [ -r "${ippool_rules}" ]; then
 +			echo "Reloading ippool rules."
 +			${ippool_program:-/sbin/ippool} -F
 +			${ippool_program:-/sbin/ippool} \
 +			    -f "${ippool_rules}" ${ippool_flags}
 +		fi
 +	fi
  
 +	echo "Reloading ipfilter rules."
  	${ipfilter_program:-/sbin/ipf} -I -Fa
  	if [ -r "${ipfilter_rules}" ]; then
  		${ipfilter_program:-/sbin/ipf} -I \
 --- ipfilter.diff ends here ---
 
 --- chapter.sgml.diff begins here ---
 --- /usr/doc/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml	2009-11-27 12:11:33.000000000 -0500
 +++ /tmp/chapter.sgml	2009-12-04 20:19:23.000000000 -0500
 @@ -653,6 +653,16 @@
                                    # v = log tcp window, ack, seq
                                    # n = map IP &amp; port to names</programlisting>
  
 +      <para>If the use of ippools is desired, the following lines need to be
 +        added to enable the ippool functionality:</para>
 +
 +      <programlisting>ipfilter_ippool_enable="NO"     # Set to YES to enable ippool functionality
 +ippool_program="/sbin/ippool"   # where the ippool program lives
 +ippool_rules="/etc/ippool.conf" # rules definition file for ippool, see     
 +                                # /usr/src/contrib/ipfilter/rules/pool.conf
 +                                # for example
 +ippool_flags=""                 # additional flags for ippool</programlisting>
 +
        <para>If there is a LAN behind this firewall that uses the
  	reserved private IP address ranges, the following lines will have to
  	be added to enable <acronym>NAT</acronym>
 @@ -701,6 +711,26 @@
      </sect2>
  
      <sect2>
 +      <title>IPPOOL</title>
 +
 +      <indexterm><primary><command>ippool</command></primary></indexterm>
 +
 +      <para>The &man.ippool.8; command is used to load your ippool
 +        configuration file. The following commands can be used to flush
 +        the loaded pools from the kernel and then load a pool configuration
 +        from a file:</para>
 +
 +      <screen>&prompt.root; <userinput>ippool -F</userinput>
 +        &prompt.root; <userinput>ippool -f /etc/ippool.conf</userinput></screen>
 +
 +      <para>See the &man.ippool.8; manual page for details on the other
 +        flags available with this command.</para>
 +
 +      <para>The &man.ippool.8; command expects the configuration file to be a
 +        standard text file.</para>
 +    </sect2>
 +
 +    <sect2>
        <title>IPFSTAT</title>
  
        <indexterm><primary><command>ipfstat</command></primary></indexterm>
 --- chapter.sgml.diff ends here ---
Responsible-Changed-From-To: freebsd-net->cy 
Responsible-Changed-By: cy 
Responsible-Changed-When: Wed Jul 3 05:21:19 UTC 2013 
Responsible-Changed-Why:  
Mine. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=132554 
>Unformatted:
