RELENG_5 kernel b0rken with IPFIREWALL and without PFIL_HOOKS

Jonathan T. Sage sagejona at
Thu Aug 19 09:19:02 PDT 2004

Barney Wolff wrote:

> Sure, invoking ipfw directly works fine when ipfw's compiled into the kernel,
> as does dotting /etc/rc.firewall.  But /etc/rc.d/ipfw is what's run at
> boot time, and that would seem, at least as I read it, to require that
> ipfw be a module, not compiled in.

no, it dosn't, kinda.

         if ! ${SYSCTL} net.inet.ip.fw.enable > /dev/null 2>&1; then

if the sysctl item net.inet.ip.fw.enable does NOT exist, then try and 
load the module.  otherwise, return 0 (all ok)

                 if ! kldload ipfw; then
                         warn unable to load firewall module.
                         return 1

it is failing because the net.inet.ip.fw.enable sysctl was removed.  the 
script needs to be updated to rely on one of the still existing sysctls. 
  as of right now, with no edits, the script cannot complete succesfully 
unless ipfw is left as a module.  No doubt this will be fixed shortly.

Jonathan T. Sage
Theatrical Lighting / Set Designer
Professional Web Design

"He said he likes me, but he's not in-like with me."- Connie, King of 
the Hill

[sagejona at]
[See Headers for Contact Info]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
Url :

More information about the freebsd-current mailing list