rc.order wrong (ipfw)
dougb at FreeBSD.org
Mon Mar 19 00:13:59 UTC 2007
Kian Mohageri wrote:
> I can't speak for ipfw, but removing the
> REQUIRE: netif for pf might break some setups where the ruleset
> references a cloned interface that netif creates. Correct me if I'm wrong?
> Loading a minimal ruleset initially (as OpenBSD and NetBSD do) would
> solve that problem, at least for pf. The idea has been discussed a few
> times before but I didn't see it go anywhere.
That's because no one who uses pf (and therefore cares sufficiently
about the issue) has stepped up to do the work. Q.E.D. I don't know pf
from a hole in the ground, and I'm not going to develop and commit a
fundamentally different way of doing things for it that I can't test,
and therefore will have no confidence that it's been done correctly.
That said, if the issues of needing to resolve hostnames and set up
rules for cloned interfaces are a universal problem (and it seems that
they are) then perhaps rather than customizing a solution for pf it
might be worthwhile to have a more generic "firewalls_late" script
that performs the appropriate actions regardless of what firewalls are
enabled. That way we could add just one rc.d script, and using the new
functionality would be opt-in. Off the top of my head I envision
if [ checkyesno $firewall_enable -a -n "$firewall_rules_late" ]; then
# do stuff specific to ipfw
if [ checkyesno $ipfilter_enable -a -n "$ipfilter_rules_late" ]; then
Comments? That's something that I would feel comfortable developing
and committing, since it would be opt-in, and others more
knowledgeable than I could jump in and run with it for a while before
we considered MFC'ing it (if doing that would be appropriate at all,
and I'm not sure that it would be).
OTOH, perhaps if we just move everything (and therefore break things
in the manner you described) it will motivate someone to do the work.
This .signature sanitized for your protection
More information about the freebsd-rc