cvs commit: src/sys/conf files options src/sys/modules/ipfw Makefilesrc/sys/net bridge.c src/sys/netgraph ng_bridge.c src/sys/netinet ip_divert.cip_dummynet.c ip_dummynet.h ip_fastfwd.c ip_fw.h ip_fw2.c ip_fw_pfil.c ip_input.cip_output.c ...

Ceri Davies ceri at submonkey.net
Thu Aug 19 10:18:39 PDT 2004 

On Thu, Aug 19, 2004 at 12:10:03PM +0200, Andre Oppermann wrote:
> Nate Lawson wrote:
> > 
> > John Birrell wrote:
> > > On Tue, Aug 17, 2004 at 10:05:54PM +0000, Andre Oppermann wrote:
> > >
> > >>andre       2004-08-17 22:05:54 UTC
> > >>
> > >>  FreeBSD src repository
> > >>
> > >>  Modified files:
> > >>    sys/conf             files options
> > >>    sys/modules/ipfw     Makefile
> > >>    sys/net              bridge.c
> > >>    sys/netgraph         ng_bridge.c
> > >>    sys/netinet          ip_divert.c ip_dummynet.c ip_dummynet.h
> > >>                         ip_fastfwd.c ip_fw.h ip_fw2.c ip_input.c
> > >>                         ip_output.c ip_var.h raw_ip.c tcp_input.c
> > >>                         tcp_sack.c
> > >>    sys/sys              mbuf.h
> > >>  Added files:
> > >>    sys/netinet          ip_fw_pfil.c
> > >
> > >
> > > A kernel config file which includes IPFIREWALL, but not PFIL_HOOKS will
> > > not link (for obvious reasons).
> > >
> > > Also, the script /etc/rc.d/ipfw tests the 'enable' sysctl which is removed
> > > by this commit. The result is that if a kernel is booted with ipfw built
> > > in, the /etc/rc.d/ipfw script tries to load the ipfw module. The module
> > > load fails (for obvious reasons), causing the ipfw initialisation to fail
> > > leaving the firewall in the deny-everything mode regardless of what is
> > > configured in /etc/rc.conf.
> > >
> > > This is an issue for 5.3. [ I assume re@ are reading this list ]
> > 
> > I've been bitten by both.  Actually, ipfw.ko won't load into a kernel
> > built without PFIL_HOOKS.  The duplicate load attempt also happens to me.
> 
> I'm looking into this and will have a fix later today.

Hi Andre,

I'd like to echo Nate's thanks for you spending effort to fix the
problems here.

Also,  I think that the ipfirewall.4 manpage could use the following
diff attached if PFIL_HOOKS is now mandatory.

Cheers,

Ceri
-- 
It is not tinfoil, it is my new skin.  I am a robot.
-------------- next part --------------
Index: src/share/man/man4/ipfirewall.4
===================================================================
RCS file: /home/ncvs/src/share/man/man4/ipfirewall.4,v
retrieving revision 1.29
diff -u -r1.29 ipfirewall.4
--- src/share/man/man4/ipfirewall.4	29 Nov 2002 11:39:19 -0000	1.29
+++ src/share/man/man4/ipfirewall.4	19 Aug 2004 17:16:21 -0000
@@ -46,6 +46,8 @@
 enable
 .Xr divert 4
 sockets
+.It Dv PFIL_HOOKS
+add packet filter hooks
 .El
 .Sh SEE ALSO
 .Xr setsockopt 2 ,
@@ -53,4 +55,5 @@
 .Xr ip 4 ,
 .Xr ipfw 8 ,
 .Xr sysctl 8 ,
-.Xr syslogd 8
+.Xr syslogd 8,
+.Xr pfil 9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/cvs-all/attachments/20040819/7cffc0d7/attachment.bin

More information about the cvs-all mailing list