--yrj/dFKFPuw6o+aM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Tue, Jun 05, 2007 at 07:34:40AM +0200, Bernd Ernesti wrote:
> On Tue, Jun 05, 2007 at 07:46:01AM +0300, Martti Kuparinen wrote:
> > ROOT n106:~> ipf -V
> > ipf: IP Filter: v4.1.22 (396)
> > Kernel: IP Filter: v4.1.22
> > Running: yes
>            ^^^
> 
> And that is the 'problem' with this kind of change.
> Loading the lkm with this change enabled ipfilter at load time.

I checked why this happens and it is due to a change in 2004, where
the lkm was ~completely replaced. I agree with Bernd that loading
the lkm should not automatically enable the filter, and it is easy to fix
(see patch attached).

I'm about to import ipf 4.1.23 tomorrow; since this change to the LKM is
unrelated (and apparently unrelated to the function name), it should be done
separately.

Martin

--yrj/dFKFPuw6o+aM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=patch

Index: sys/lkm/netinet/if_ipl/mln_ipl.c
===================================================================
RCS file: /home/martin/netbsd/work/cvsroot/src/sys/lkm/netinet/if_ipl/mln_ipl.c,v
retrieving revision 1.39
diff -c -u -r1.39 mln_ipl.c
--- sys/lkm/netinet/if_ipl/mln_ipl.c	4 Jun 2007 12:38:59 -0000	1.39
+++ sys/lkm/netinet/if_ipl/mln_ipl.c	15 Jun 2007 23:47:17 -0000
@@ -76,38 +76,32 @@
 if_ipl_lkmload(struct lkm_table *lkmtp, int cmd)
 {
 	const char *defpass;
-	int error;
 
 	if (lkmexists(lkmtp))
 		return (EEXIST);
 
-	error = ipfattach();
-	if (error == 0) {
-		if (FR_ISPASS(fr_pass))
-			defpass = "pass";
-		else if (FR_ISBLOCK(fr_pass))
-			defpass = "block";
-		else
-			defpass = "no-match -> block";
+	if (FR_ISPASS(fr_pass))
+		defpass = "pass";
+	else if (FR_ISBLOCK(fr_pass))
+		defpass = "block";
+	else
+		defpass = "no-match -> block";
 
-		printf("%s initialized.  Default = %s all, Logging = %s%s\n",
-		    ipfilter_version, defpass,
+	printf("%s initialized.  Default = %s all, Logging = %s%s\n",
+	    ipfilter_version, defpass,
 #ifdef IPFILTER_LOG
-		    "enabled",
+	    "enabled",
 #else
-		    "disabled",
+	    "disabled",
 #endif
 #ifdef IPFILTER_COMPILED
-		    " (COMPILED)"
+	    " (COMPILED)"
 #else
-		    ""
+	    ""
 #endif
-		);
+	);
 
-		fr_running = 1;
-	}
-
-	return (error);
+	return 0;
 }
 
 static int
@@ -120,8 +114,7 @@
 		if (error == 0)
 			fr_running = -1;
 	}
-	if (error == 0)
-		printf("%s unloaded\n", ipfilter_version);
+	printf("%s unloaded\n", ipfilter_version);
 
-	return (error);
+	return error;
 }
Index: dist/ipf/man/ipf.8
===================================================================
RCS file: /home/martin/netbsd/work/cvsroot/src/dist/ipf/man/ipf.8,v
retrieving revision 1.12
diff -c -u -r1.12 ipf.8
--- dist/ipf/man/ipf.8	15 May 2007 22:52:22 -0000	1.12
+++ dist/ipf/man/ipf.8	16 Jun 2007 00:01:32 -0000
@@ -55,10 +55,10 @@
 it processes each one.
 .TP
 .B \-D
-Disable the filter (if enabled).  Not effective for loadable kernel versions.
+Disable the filter (if enabled).
 .TP
 .B \-E
-Enable the filter (if disabled).  Not effective for loadable kernel versions.
+Enable the filter (if disabled).
 .TP
 .BR \-F \0<i|o|a>
 This option specifies which filter list to flush.  The parameter should

--yrj/dFKFPuw6o+aM--