-E flag in /etc/rc.d/ipfilter causes warnings
Mike Bohan
bogin at shortcircut.org
Mon Jun 16 20:03:51 PDT 2003
That's actually how I interpreted the man page too (the way you did),
but rc.conf says the inverse, and my testing corresponds to this as
well...
ipfilter_flags="" # should be *empty* when ipf is _not_ a
module
# (i.e. compiled into the kernel) to
# avoid a warning about "already
initialized"
I agree there's no easy solution with the rc.d start/stop
functionality. I'll let the list know if I come up with an alternate
method.
--
Mike Bohan <bogin at shortcircut.org>
On Mon, 2003-06-16 at 22:39, Mike Makonnen wrote:
> On 16 Jun 2003 21:35:44 -0400
> Mike Bohan <bogin at shortcircut.org> wrote:
>
> > Hello there,
> >
> > I recently ran into a slight issue with ipfilter running on
> > 5.1-RELEASE. My machine serves the simple purpose as a nat gateway, so
> > ipfilter is always going to be necessary on it. Due to this fact, i
> > decided to include options IPFILTER in the kernel config, instead of
> > dynamically loading the ipl.ko module. However, when ipfilter is used
> > in the kernel image, it's automatically initialized (and thus does not
> > need the -E flag).
>
> hmm... I thought it was the other way around (it's not effective when loaded as
> a module), but I may have misunderstood the man page.
>
> >This has been noted in rc.conf for some time, and I
> > of course removed the -E from the
> > ipfilter_flags variable in that file. However, after booting my kernel
> > with the IPFILTER options, I noticed warnings in my kernel logs that
> > "ipfilter has already been initialized", which is consistent with using
> > flag -E when ipf is already initialized. After some brief analysis, I
> > discovered that /etc/rc.d/ipfilter actually uses -E in the shell script
> > function, ipfilter_start(). After removing the two instances of the -E
> > and rebooting, the warning messages disappeared at boot time. Is this a
> > known glitch in the hopes that people start soley using the ipl kernel
> > module? It's really not a big deal either way, but I was more just
> > curious than anything in which direction it's going. Thanks in advance!
> >
>
> I believe it's harmless, and while not aesthetically pleasing, it's a necessary
> work-around. The stop command to rc.d/ipfilter uses -D to disable ipfilter, so
> it's necessary to use -E with the start command because there's no way to know
> how/when/why/in-what-environment it's being called. If I'm wrong or you have a
> better alternative to this please let me know.
>
> Cheers.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20030616/f1fbcdb8/attachment.bin
More information about the freebsd-current
mailing list