git: c403205e553e - stable/13 - ipfw: reload sysctl.conf variables if needed

Eugene Grosbein eugen at FreeBSD.org
Fri Jul 16 06:42:03 UTC 2021 

The branch stable/13 has been updated by eugen:

URL: https://cgit.FreeBSD.org/src/commit/?id=c403205e553ee7402ab1adf6da4a8dbd722f8608

commit c403205e553ee7402ab1adf6da4a8dbd722f8608
Author:     Eugene Grosbein <eugen at FreeBSD.org>
AuthorDate: 2021-05-17 21:03:15 +0000
Commit:     Eugene Grosbein <eugen at FreeBSD.org>
CommitDate: 2021-07-16 06:40:39 +0000

    ipfw: reload sysctl.conf variables if needed
    
    Currently ipfw has multiple components that are not parts
    of GENERIC kernel like dummynet etc. They can bring in important
    sysctls if enabled with rc.conf(5) and loaded with ipfw startup script
    by means of "required_modules" after initial consult
    with /etc/sysctl.conf at boot time. Here is an example of one
    increasing limit for dummynet hold queues that defaults to 100:
    
    net.inet.ip.dummynet.pipe_slot_limit=1000
    
    This makes it possible to use ipfw/dummynet rules such as:
    
    ipfw pipe 1 config bw 50Mbit/s queue 1000
    
    Such rule is rejected unless above sysctl is applied.
    Another example is a group of net.inet.ip.alias.* sysctls
    created after libalias.ko loaded as dependency of ipfw_nat.
    
    This is not a problem if corresponding code compiled in custom kernel
    so sysctls exist when sysctl.conf is read early or kernel modules
    loaded with a loader. This change makes it work also for GENERIC
    and modules loaded by means of rc.conf(5) settings.
    
    (cherry picked from commit f5b5de1a3210234f3a6864c88a2d3e11ac2dbf04)
---
 libexec/rc/rc.d/ipfw | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/libexec/rc/rc.d/ipfw b/libexec/rc/rc.d/ipfw
index fd1c97671d70..22b65d2908cb 100755
--- a/libexec/rc/rc.d/ipfw
+++ b/libexec/rc/rc.d/ipfw
@@ -47,7 +47,7 @@ ipfw_prestart()
 
 ipfw_start()
 {
-	local   _firewall_type
+	local   _firewall_type _module _sysctl_reload
 
 	if [ -n "${1}" ]; then
 		_firewall_type=$1
@@ -55,6 +55,19 @@ ipfw_start()
 		_firewall_type=${firewall_type}
 	fi
 
+	_sysctl_reload=no
+	for _module in ${required_modules}
+	do
+		if kldstat -qn ${_module}; then
+			_sysctl_reload=yes
+			break
+		fi
+	done
+
+	if [ ${_sysctl_reload} = yes ]; then
+		/etc/rc.d/sysctl reload
+	fi
+
 	# set the firewall rules script if none was specified
 	[ -z "${firewall_script}" ] && firewall_script=/etc/rc.firewall

More information about the dev-commits-src-all mailing list