conf/97311: /etc/rc.d/ipfilter reload can load bad files
David Bushong
david at bushong.net
Mon May 15 18:20:25 UTC 2006
>Number: 97311
>Category: conf
>Synopsis: /etc/rc.d/ipfilter reload can load bad files
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Mon May 15 18:20:14 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: David Bushong
>Release: FreeBSD 5.5-PRERELEASE i386
>Organization:
>Environment:
System: FreeBSD firebat.bushong.net 5.5-PRERELEASE FreeBSD 5.5-PRERELEASE #0: Wed Mar 8 00:10:26 PST 2006 dbushong at firebat.bushong.net:/export/obj/export/src/sys/FIREBAT i386
arch-independent
>Description:
If you write a broken /etc/ipf.rules, and run /etc/rc.d/ipfilter reload,
it will load the bad file into the inactive ruleset, ignore the error,
and swap your sets, breaking your firewall
>How-To-Repeat:
# echo oops >> /etc/ipf.rules
# /etc/rc.d/ipfilter reload
>Fix:
*** /usr/src/etc/rc.d/ipfilter Sun Oct 10 02:50:53 2004
--- ipfilter Mon May 15 11:06:45 2006
***************
*** 94,97 ****
--- 94,100 ----
${ipfilter_program:-/sbin/ipf} -I \
-f "${ipfilter_rules}" ${ipfilter_flags}
+ if [ $? -ne 0 ]; then
+ err 1 "rules load failed; aborting reload"
+ fi
fi
${ipfilter_program:-/sbin/ipf} -I -6 -Fa
***************
*** 99,102 ****
--- 102,108 ----
${ipfilter_program:-/sbin/ipf} -I -6 \
-f "${ipv6_ipfilter_rules}" ${ipfilter_flags}
+ if [ $? -ne 0 ]; then
+ err 1 "ipv6 rules load failed; aborting reload"
+ fi
fi
${ipfilter_program:-/sbin/ipf} -s
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list