Subject: bin/29268: ipfilter should be allowed to specify additional flags.
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: Takahiro Kambe <taca@back-street.net>
List: netbsd-bugs
Date: 02/07/2005 14:47:00
>Number: 29268
>Category: bin
>Synopsis: ipfilter should be allowed to specify additional flags.
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Mon Feb 07 14:47:00 +0000 2005
>Originator: Takahiro Kambe
>Release: NetBSD 2.99.15
>Organization:
Takahiro Kambe
>Environment:
System: NetBSD reef.back-street.net 2.99.15 NetBSD 2.99.15 (CF-R3E) #23: Tue Jan 25 19:12:54 JST 2005 taca@reef.back-street.net:/var/obj/sys/arch/i386/compile/CF-R3E i386
Architecture: i386
Machine: i386
>Description:
There are several option of ipf(8) and some are used in
/etc/rc.d/ipfilter to support its arguments (start, stop and so on).
But currently, it is difficult to specify other arguments to ipf(8).
For example, if I add "-l block" to ipf(8), I must edit
/etc/rc.d/ipfilter directly.
>How-To-Repeat:
Try to specify addtional arguments to ipf(8).
>Fix:
Itroduce ipf_flags and ipf6_flags shell variables.
Index: etc/rc.d/ipfilter
===================================================================
RCS file: /usr/pkg/libdata/cvs/src/etc/rc.d/ipfilter,v
retrieving revision 1.1.1.1
retrieving revision 1.1.1.1.2.1
diff -u -p -d -u -p -r1.1.1.1 -r1.1.1.1.2.1
--- etc/rc.d/ipfilter 24 Feb 2003 02:15:48 -0000 1.1.1.1
+++ etc/rc.d/ipfilter 27 Jan 2005 07:35:22 -0000 1.1.1.1.2.1
@@ -45,10 +45,10 @@ ipfilter_start()
echo "Enabling ipfilter."
/sbin/ipf -E -Fa
if [ -f /etc/ipf.conf ]; then
- /sbin/ipf -f /etc/ipf.conf
+ /sbin/ipf ${ipf_flags} -f /etc/ipf.conf
fi
if [ -f /etc/ipf6.conf ]; then
- /sbin/ipf -6 -f /etc/ipf6.conf
+ /sbin/ipf -6 ${ipf6_flags} -f /etc/ipf6.conf
fi
}
@@ -63,10 +63,10 @@ ipfilter_reload()
echo "Reloading ipfilter rules."
/sbin/ipf -I -Fa
- if [ -f /etc/ipf.conf ] && ! /sbin/ipf -I -f /etc/ipf.conf; then
+ if [ -f /etc/ipf.conf ] && ! /sbin/ipf -I ${ipf_flags} -f /etc/ipf.conf; then
err 1 "reload of ipf.conf failed; not swapping to new ruleset."
fi
- if [ -f /etc/ipf6.conf ] && ! /sbin/ipf -I -6 -f /etc/ipf6.conf; then
+ if [ -f /etc/ipf6.conf ] && ! /sbin/ipf -I -6 ${ipf6_flags} -f /etc/ipf6.conf; then
err 1 "reload of ipf6.conf failed; not swapping to new ruleset."
fi
/sbin/ipf -s
>Unformatted: