conf/130555: [patch] No good way to set ipfilter variables at boot time

[G. Paul Ziemba]

>Number:         130555
>Category:       conf
>Synopsis:       [patch] No good way to set ipfilter variables at boot time
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jan 14 18:30:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     G. Paul Ziemba
>Release:        7.1-PRERELEASE
>Organization:
>Environment:
FreeBSD foo 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #0: Tue Nov 11 23:08:18 PST 2008     root at foo:/usr/obj/usr/src/sys/GPZ  i386

>Description:
ipfilter has a number of tunable variables (run "ipf -T list" to see the list). Although many (all?) of these are made available via sysctl, it is not possible to configure them in the context of the current /etc/rc.conf or /etc/sysctl.conf arrangements due to the following constraints/interactions:

1. Some of the tunables can be set only if ipfilter is disabled.

2. The current /etc/rc.d/ipfilter startup script enables ipfilter and
   causes it to load the filter rules before doing anything about
   ipfilter_flags, which might theoretically be set to "-D -T <foo> -E".

3. You could try ipfilter_flags="-D -T <foo> -E -f ${ipfilter_rules}" to
   reload the rules. However, ipfilter_flags are also used for the reload
   and resync commands of the startup script (i.e., later on), so you
   run into...

4. disabling ipfilter not only flushes existing configured filter rules, it
   also flushes any configured NAT rules (loaded independently via
   /etc/rc.d/ipnat).

5. /etc/sysctl.conf is processed after /etc/rc.d/ipfilter runs, so ipfilter
   tunables set in sysctl.conf fail due to ipfilter being enabled.

6. Oh, and they can't be set in /boot/loader.conf either

Here is a fix that allows variables to be specified in /etc/rc.conf so they will be set early in the /etc/rc.d/ipfilter script
>How-To-Repeat:

>Fix:
Patch attached

Patch attached with submission follows:

diff -ruN etc.orig/defaults/rc.conf etc.new/defaults/rc.conf
--- etc.orig/defaults/rc.conf	2008-11-12 08:27:20.000000000 -0800
+++ etc.new/defaults/rc.conf	2009-01-14 09:46:23.000000000 -0800
@@ -152,6 +152,7 @@
 ipfilter_rules="/etc/ipf.rules"	# rules definition file for ipfilter, see
 				# /usr/src/contrib/ipfilter/rules for examples
 ipfilter_flags=""		# additional flags for ipfilter
+ipfilter_variables=""		# <optionlist> for -T, see ipf(8)
 ipnat_enable="NO"		# Set to YES to enable ipnat functionality
 ipnat_program="/sbin/ipnat"	# where the ipnat program lives
 ipnat_rules="/etc/ipnat.rules"	# rules definition file for ipnat
diff -ruN etc.orig/rc.d/ipfilter etc.new/rc.d/ipfilter
--- etc.orig/rc.d/ipfilter	2008-01-27 23:55:44.000000000 -0800
+++ etc.new/rc.d/ipfilter	2009-01-14 09:43:34.000000000 -0800
@@ -30,6 +30,14 @@
 ipfilter_start()
 {
 	echo "Enabling ipfilter."
+	if [ ! -z "${ipfilter_variables}" ]; then
+		# Can set ipfilter variables only when it is disabled,
+		# which flushes filter and nat rules
+		if [ `sysctl -n net.inet.ipf.fr_running` -gt 0 ]; then
+			${ipfilter_program:-/sbin/ipf} -D
+		fi
+		${ipfilter_program:-/sbin/ipf} -T "${ipfilter_variables}"
+	fi
 	if [ `sysctl -n net.inet.ipf.fr_running` -le 0 ]; then
 		${ipfilter_program:-/sbin/ipf} -E
 	fi


>Release-Note:
>Audit-Trail:
>Unformatted: