conf/166460: WITHOUT_IPFILTER does not remove ipfstat-reliant
periodic scripts
Jeremy Chadwick
freebsd at jdc.parodius.com
Wed Mar 28 02:00:23 UTC 2012
>Number: 166460
>Category: conf
>Synopsis: WITHOUT_IPFILTER does not remove ipfstat-reliant periodic scripts
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Mar 28 02:00:22 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Jeremy Chadwick
>Release: FreeBSD 8.2-STABLE amd64
>Organization:
>Environment:
System: FreeBSD icarus.home.lan 8.2-STABLE FreeBSD 8.2-STABLE #0: Fri Feb 10 17:43:50 PST 2012 root at icarus.home.lan:/usr/obj/usr/src/sys/X7SBA_RELENG_8_amd64 amd64
>Description:
First: not sure if I got the right Category. This might be kern
or misc.
Issue was discussed on freebsd-stable here:
http://lists.freebsd.org/pipermail/freebsd-stable/2012-March/066962.html
http://lists.freebsd.org/pipermail/freebsd-stable/2012-March/066978.html (root cause)
When ipfilter is removed from the system via src.conf knob
WITHOUT_IPFILTER, periodic scripts which rely on ipfstat(8) do not
get removed during "make delete-old". This results in errors
like the following during "periodic security" phase:
ipfstat: not found
Root cause appears to be lack of OLD_FILES entries for the two
periodic scripts in question. Patch should fix this. Only tested on
RELENG_8; other adjustments may be needed for RELENG_7 or RELENG_9.
Note that etc/periodic/security/610.ipf6denied is a tricky one: it's both
IPFILTER-related *and* IPv6. So I'm not sure if this removal should go
under the MK_IPFILTER check or the MK_INET6 check.
>How-To-Repeat:
1. Add WITHOUT_IPFILTER=true to /etc/src.conf
2. Rebuild system (world/kernel), mergemaster, etc... -- the usual
3. Run "periodic security" and watch for "ipfstat: not found" messages
>Fix:
Apply below patch:
--- src/tools/build/mk/OptionalObsoleteFiles.inc.orig 2010-11-22 17:39:30.000000000 -0800
+++ src/tools/build/mk/OptionalObsoleteFiles.inc 2012-03-27 18:56:15.167308202 -0700
@@ -605,6 +605,8 @@
OLD_FILES+=usr/share/man/man8/ipmon.8.gz
OLD_FILES+=usr/share/man/man8/ipnat.8.gz
OLD_FILES+=usr/share/man/man8/ippool.8.gz
+OLD_FILES+=etc/periodic/security/510.ipfdenied
+OLD_FILES+=etc/periodic/security/610.ipf6denied
.endif
.if ${MK_IPX} == no
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list