Hi, I would like your comments about the attached patch to /etc/rc.
The problem I want to fix by this patch is as follows.
net.inet{,6}.fw.enable are set to 1 by default at boot time if IPFW
kernel module is loaded or statically compiled into a kernel. And by
default IPFW has only a "deny ip from any to any" rule if it is
compiled without IPFIREWALL_DEFAULT_TO_ACCEPT option. In this case,
the default-deny rule can prevent rc.d scripts before rc.d/ipfw from
working as described in the patch.
To fix this, the patch turns IPFW off before running rc.d scripts at
boot time, and enables it again in rc.d/ipfw script.
I think most of users use GENERIC kernel + ipfw kernel module. In
that case, IPFW is not activated before rc.d/ipfw script regardless
of this patch, so there is no user-visible change. This patch
affects only a combination of a kernel with IPFW compiled and rc.d
scripts running before rc.d/ipfw. The behavior will be almost the
same as GENERIC kernel + ipfw kernel module's.
Please let me know if I am missing something.
-- Hiroki
Index: etc/rc
===================================================================
--- etc/rc (revision 271853)
+++ etc/rc (working copy)
@@ -87,6 +87,17 @@
fi
fi
+# Clear *.fw.enable sysctls. At boot time, some of network initialization
+# before rc.d/ipfw script requires network communications (e.g. DHCP and
+# IPv6 Duplicate Address Detection). When *.fw.enable=1 and "default deny"
+# policy was applied---this can happen when IPFW is complied into the kernel
+# or ipfw kernel module is loaded by loader before rc.d/ipfw runs, those
+# comminucations are blocked. To prevent this, set *.fw.enable=0 before
+# calling rc.d scripts. The rc.d/ipfw script set this to 1 after
+# configuration.
+/sbin/sysctl -q net.inet.ip.fw.enable=0
+/sbin/sysctl -q net.inet6.ip6.fw.enable=0
+
# If the firstboot sentinel doesn't exist, we want to skip firstboot scripts.
if ! [ -e ${firstboot_sentinel} ]; then
skip_firstboot="-s firstboot"
pgpcTBGLkMrIS.pgp
Description: PGP signature
