git: c403205e553e - stable/13 - ipfw: reload sysctl.conf variables if needed
Eugene Grosbein
eugen at FreeBSD.org
Fri Jul 16 06:42:03 UTC 2021
The branch stable/13 has been updated by eugen:
URL: https://cgit.FreeBSD.org/src/commit/?id=c403205e553ee7402ab1adf6da4a8dbd722f8608
commit c403205e553ee7402ab1adf6da4a8dbd722f8608
Author: Eugene Grosbein <eugen at FreeBSD.org>
AuthorDate: 2021-05-17 21:03:15 +0000
Commit: Eugene Grosbein <eugen at FreeBSD.org>
CommitDate: 2021-07-16 06:40:39 +0000
ipfw: reload sysctl.conf variables if needed
Currently ipfw has multiple components that are not parts
of GENERIC kernel like dummynet etc. They can bring in important
sysctls if enabled with rc.conf(5) and loaded with ipfw startup script
by means of "required_modules" after initial consult
with /etc/sysctl.conf at boot time. Here is an example of one
increasing limit for dummynet hold queues that defaults to 100:
net.inet.ip.dummynet.pipe_slot_limit=1000
This makes it possible to use ipfw/dummynet rules such as:
ipfw pipe 1 config bw 50Mbit/s queue 1000
Such rule is rejected unless above sysctl is applied.
Another example is a group of net.inet.ip.alias.* sysctls
created after libalias.ko loaded as dependency of ipfw_nat.
This is not a problem if corresponding code compiled in custom kernel
so sysctls exist when sysctl.conf is read early or kernel modules
loaded with a loader. This change makes it work also for GENERIC
and modules loaded by means of rc.conf(5) settings.
(cherry picked from commit f5b5de1a3210234f3a6864c88a2d3e11ac2dbf04)
---
libexec/rc/rc.d/ipfw | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/libexec/rc/rc.d/ipfw b/libexec/rc/rc.d/ipfw
index fd1c97671d70..22b65d2908cb 100755
--- a/libexec/rc/rc.d/ipfw
+++ b/libexec/rc/rc.d/ipfw
@@ -47,7 +47,7 @@ ipfw_prestart()
ipfw_start()
{
- local _firewall_type
+ local _firewall_type _module _sysctl_reload
if [ -n "${1}" ]; then
_firewall_type=$1
@@ -55,6 +55,19 @@ ipfw_start()
_firewall_type=${firewall_type}
fi
+ _sysctl_reload=no
+ for _module in ${required_modules}
+ do
+ if kldstat -qn ${_module}; then
+ _sysctl_reload=yes
+ break
+ fi
+ done
+
+ if [ ${_sysctl_reload} = yes ]; then
+ /etc/rc.d/sysctl reload
+ fi
+
# set the firewall rules script if none was specified
[ -z "${firewall_script}" ] && firewall_script=/etc/rc.firewall
More information about the dev-commits-src-all
mailing list