kern/132554: [ipl] There is no ippool start script/ipfilter magic to load them

Jason Loretz jl at coastallighthouse.com
Sat Dec 5 04:40:03 UTC 2009 

The following reply was made to PR kern/132554; it has been noted by GNATS.

From: Jason Loretz <jl at coastallighthouse.com>
To: bug-followup at FreeBSD.org, axel at axel.truedestiny.net
Cc:  
Subject: Re: kern/132554: [ipl] There is no ippool start script/ipfilter magic to load them
Date: Fri, 4 Dec 2009 23:10:12 -0500

 The ippools feature is quite useful and would be nice to have automatically start with the IPF startup script (as part of FreeBSD rather than a system administrator insert/tweek). The actual functionality already exists in the current 7.1 release and just needs hooks to properly startup and reload/flush configurations in sync with ipfilter. This functionality appears that it should reside in the ipfilter rc.d script since ippools will not work until "ipf -E" has been executed but also needs to be configure d previous to the "ipf -f" commands. Therefore I submit these diffs as a possible solution, which will provide the appropriate rc.conf options and modifications to rc.d/ipfilter to make it load and flush in the correct places during the ipf configuration. I took a stab, but needs work, at modifications to the firewall handbook page to include information on ippools. This no doubt will need some work if it can be included.
 
 Thanks, Jason
 
 --- rc.conf.diff begins here ---
 --- /usr/src/etc/defaults/rc.conf	2008-11-24 21:59:29.000000000 -0500
 +++ /etc/defaults/rc.conf	2009-11-30 20:43:10.000000000 -0500
 @@ -152,6 +152,12 @@
  ipfilter_rules="/etc/ipf.rules"	# rules definition file for ipfilter, see
  				# /usr/src/contrib/ipfilter/rules for examples
  ipfilter_flags=""		# additional flags for ipfilter
 +ipfilter_ippool_enable="NO"	# Set to YES to enable ippool functionality
 +ippool_program="/sbin/ippool"	# where the ippool program lives
 +ippool_rules="/etc/ippool.conf"	# rules definition file for ippool, see     
 +				# /usr/src/contrib/ipfilter/rules/pool.conf
 +				# for example
 +ippool_flags=""			# additional flags for ippool
  ipnat_enable="NO"		# Set to YES to enable ipnat functionality
  ipnat_program="/sbin/ipnat"	# where the ipnat program lives
  ipnat_rules="/etc/ipnat.rules"	# rules definition file for ipnat
 --- rc.conf.diff ends here ---
 
 --- ipfilter.diff begins here --- 
 --- /usr/src/etc/rc.d/ipfilter	2008-11-24 21:59:29.000000000 -0500
 +++ /etc/rc.d/ipfilter	2009-12-01 09:19:43.000000000 -0500
 @@ -33,6 +33,14 @@
  	if [ `sysctl -n net.inet.ipf.fr_running` -le 0 ]; then
  		${ipfilter_program:-/sbin/ipf} -E
  	fi
 +	if checkyesno ipfilter_ippool_enable; then
 +		if [ -r "${ippool_rules}" ]; then
 +			echo "Loading ippool rules."
 +			${ippool_program:-/sbin/ippool} \
 +			    -f "${ippool_rules}" ${ippool_flags}
 +		fi
 +	fi
 +	echo "Loading ipfilter rules."
  	${ipfilter_program:-/sbin/ipf} -Fa
  	if [ -r "${ipfilter_rules}" ]; then
  		${ipfilter_program:-/sbin/ipf} \
 @@ -58,8 +66,16 @@
  
  ipfilter_reload()
  {
 -	echo "Reloading ipfilter rules."
 +	if checkyesno ipfilter_ippool_enable; then
 +		if [ -r "${ippool_rules}" ]; then
 +			echo "Reloading ippool rules."
 +			${ippool_program:-/sbin/ippool} -F
 +			${ippool_program:-/sbin/ippool} \
 +			    -f "${ippool_rules}" ${ippool_flags}
 +		fi
 +	fi
  
 +	echo "Reloading ipfilter rules."
  	${ipfilter_program:-/sbin/ipf} -I -Fa
  	if [ -r "${ipfilter_rules}" ]; then
  		${ipfilter_program:-/sbin/ipf} -I \
 --- ipfilter.diff ends here ---
 
 --- chapter.sgml.diff begins here ---
 --- /usr/doc/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml	2009-11-27 12:11:33.000000000 -0500
 +++ /tmp/chapter.sgml	2009-12-04 20:19:23.000000000 -0500
 @@ -653,6 +653,16 @@
                                    # v = log tcp window, ack, seq
                                    # n = map IP &amp; port to names</programlisting>
  
 +      <para>If the use of ippools is desired, the following lines need to be
 +        added to enable the ippool functionality:</para>
 +
 +      <programlisting>ipfilter_ippool_enable="NO"     # Set to YES to enable ippool functionality
 +ippool_program="/sbin/ippool"   # where the ippool program lives
 +ippool_rules="/etc/ippool.conf" # rules definition file for ippool, see     
 +                                # /usr/src/contrib/ipfilter/rules/pool.conf
 +                                # for example
 +ippool_flags=""                 # additional flags for ippool</programlisting>
 +
        <para>If there is a LAN behind this firewall that uses the
  	reserved private IP address ranges, the following lines will have to
  	be added to enable <acronym>NAT</acronym>
 @@ -701,6 +711,26 @@
      </sect2>
  
      <sect2>
 +      <title>IPPOOL</title>
 +
 +      <indexterm><primary><command>ippool</command></primary></indexterm>
 +
 +      <para>The &man.ippool.8; command is used to load your ippool
 +        configuration file. The following commands can be used to flush
 +        the loaded pools from the kernel and then load a pool configuration
 +        from a file:</para>
 +
 +      <screen>&prompt.root; <userinput>ippool -F</userinput>
 +        &prompt.root; <userinput>ippool -f /etc/ippool.conf</userinput></screen>
 +
 +      <para>See the &man.ippool.8; manual page for details on the other
 +        flags available with this command.</para>
 +
 +      <para>The &man.ippool.8; command expects the configuration file to be a
 +        standard text file.</para>
 +    </sect2>
 +
 +    <sect2>
        <title>IPFSTAT</title>
  
        <indexterm><primary><command>ipfstat</command></primary></indexterm>
 --- chapter.sgml.diff ends here ---

More information about the freebsd-net mailing list