svn commit: r195026 - head/etc/rc.d
Robert Watson
rwatson at FreeBSD.org
Fri Jun 26 08:43:27 UTC 2009
On Fri, 26 Jun 2009, Doug Barton wrote:
> Reverse the effect of r193198 for pf and ipfw which will once again
> allow them to start after netif. There were too many problems reported
> with this change in the short period of time that it lived in HEAD, and
> we are too late in the release cycle to properly shake it out.
>
> IMO the issue of having the firewalls up before the network is still a
> valid concern, particularly for pf whose default state is wide open.
> However properly solving this issue is going to take some investment
> on the part of the people who actually use those tools.
This sounds right to me, FWIW -- being able to fully configure the policy
before network traffic starts is definitely right in the abstract, it's just a
question of getting there...
Robert N M Watson
Computer Laboratory
University of Cambridge
>
> This is not a strict reversion of all the changes for r193198 since it
> also included some simplification of the BEFORE/REQUIRE logic which is
> still valid for ipfilter and ip6fw.
>
> Modified:
> head/etc/rc.d/NETWORKING
> head/etc/rc.d/ipfw
> head/etc/rc.d/netif
> head/etc/rc.d/pf
> head/etc/rc.d/pflog
> head/etc/rc.d/pfsync
>
> Modified: head/etc/rc.d/NETWORKING
> ==============================================================================
> --- head/etc/rc.d/NETWORKING Fri Jun 26 01:01:50 2009 (r195025)
> +++ head/etc/rc.d/NETWORKING Fri Jun 26 01:04:50 2009 (r195026)
> @@ -4,7 +4,7 @@
> #
>
> # PROVIDE: NETWORKING NETWORK
> -# REQUIRE: netif netoptions routing network_ipv6 ppp
> +# REQUIRE: netif netoptions routing network_ipv6 ppp ipfw
> # REQUIRE: defaultroute routed mrouted route6d mroute6d resolv
>
> # This is a dummy dependency, for services which require networking
>
> Modified: head/etc/rc.d/ipfw
> ==============================================================================
> --- head/etc/rc.d/ipfw Fri Jun 26 01:01:50 2009 (r195025)
> +++ head/etc/rc.d/ipfw Fri Jun 26 01:04:50 2009 (r195026)
> @@ -4,7 +4,7 @@
> #
>
> # PROVIDE: ipfw
> -# REQUIRE: FILESYSTEMS
> +# REQUIRE: ppp
> # KEYWORD: nojail
>
> . /etc/rc.subr
>
> Modified: head/etc/rc.d/netif
> ==============================================================================
> --- head/etc/rc.d/netif Fri Jun 26 01:01:50 2009 (r195025)
> +++ head/etc/rc.d/netif Fri Jun 26 01:04:50 2009 (r195026)
> @@ -27,7 +27,7 @@
>
> # PROVIDE: netif
> # REQUIRE: atm1 cleanvar FILESYSTEMS serial sppp sysctl
> -# REQUIRE: ipfilter ipfs pf ipfw
> +# REQUIRE: ipfilter ipfs
> # KEYWORD: nojail
>
> . /etc/rc.subr
>
> Modified: head/etc/rc.d/pf
> ==============================================================================
> --- head/etc/rc.d/pf Fri Jun 26 01:01:50 2009 (r195025)
> +++ head/etc/rc.d/pf Fri Jun 26 01:04:50 2009 (r195026)
> @@ -4,7 +4,7 @@
> #
>
> # PROVIDE: pf
> -# REQUIRE: FILESYSTEMS pflog pfsync
> +# REQUIRE: FILESYSTEMS netif pflog pfsync
> # BEFORE: routing
> # KEYWORD: nojail
>
>
> Modified: head/etc/rc.d/pflog
> ==============================================================================
> --- head/etc/rc.d/pflog Fri Jun 26 01:01:50 2009 (r195025)
> +++ head/etc/rc.d/pflog Fri Jun 26 01:04:50 2009 (r195026)
> @@ -4,7 +4,7 @@
> #
>
> # PROVIDE: pflog
> -# REQUIRE: FILESYSTEMS cleanvar
> +# REQUIRE: FILESYSTEMS netif cleanvar
> # KEYWORD: nojail
>
> . /etc/rc.subr
>
> Modified: head/etc/rc.d/pfsync
> ==============================================================================
> --- head/etc/rc.d/pfsync Fri Jun 26 01:01:50 2009 (r195025)
> +++ head/etc/rc.d/pfsync Fri Jun 26 01:04:50 2009 (r195026)
> @@ -4,7 +4,7 @@
> #
>
> # PROVIDE: pfsync
> -# REQUIRE: FILESYSTEMS
> +# REQUIRE: FILESYSTEMS netif
> # KEYWORD: nojail
>
> . /etc/rc.subr
>
More information about the svn-src-head
mailing list