The following reply was made to PR kern/132554; it has been noted by GNATS.
From: Jason Loretz <[email protected]> To: [email protected], [email protected] Cc: Subject: Re: kern/132554: [ipl] There is no ippool start script/ipfilter magic to load them Date: Fri, 4 Dec 2009 23:10:12 -0500 The ippools feature is quite useful and would be nice to have automatically start with the IPF startup script (as part of FreeBSD rather than a system administrator insert/tweek). The actual functionality already exists in the current 7.1 release and just needs hooks to properly startup and reload/flush configurations in sync with ipfilter. This functionality appears that it should reside in the ipfilter rc.d script since ippools will not work until "ipf -E" has been executed but also needs to be configure d previous to the "ipf -f" commands. Therefore I submit these diffs as a possible solution, which will provide the appropriate rc.conf options and modifications to rc.d/ipfilter to make it load and flush in the correct places during the ipf configuration. I took a stab, but needs work, at modifications to the firewall handbook page to include information on ippools. This no doubt will need some work if it can be included. Thanks, Jason --- rc.conf.diff begins here --- --- /usr/src/etc/defaults/rc.conf 2008-11-24 21:59:29.000000000 -0500 +++ /etc/defaults/rc.conf 2009-11-30 20:43:10.000000000 -0500 @@ -152,6 +152,12 @@ ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see # /usr/src/contrib/ipfilter/rules for examples ipfilter_flags="" # additional flags for ipfilter +ipfilter_ippool_enable="NO" # Set to YES to enable ippool functionality +ippool_program="/sbin/ippool" # where the ippool program lives +ippool_rules="/etc/ippool.conf" # rules definition file for ippool, see + # /usr/src/contrib/ipfilter/rules/pool.conf + # for example +ippool_flags="" # additional flags for ippool ipnat_enable="NO" # Set to YES to enable ipnat functionality ipnat_program="/sbin/ipnat" # where the ipnat program lives ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat --- rc.conf.diff ends here --- --- ipfilter.diff begins here --- --- /usr/src/etc/rc.d/ipfilter 2008-11-24 21:59:29.000000000 -0500 +++ /etc/rc.d/ipfilter 2009-12-01 09:19:43.000000000 -0500 @@ -33,6 +33,14 @@ if [ `sysctl -n net.inet.ipf.fr_running` -le 0 ]; then ${ipfilter_program:-/sbin/ipf} -E fi + if checkyesno ipfilter_ippool_enable; then + if [ -r "${ippool_rules}" ]; then + echo "Loading ippool rules." + ${ippool_program:-/sbin/ippool} \ + -f "${ippool_rules}" ${ippool_flags} + fi + fi + echo "Loading ipfilter rules." ${ipfilter_program:-/sbin/ipf} -Fa if [ -r "${ipfilter_rules}" ]; then ${ipfilter_program:-/sbin/ipf} \ @@ -58,8 +66,16 @@ ipfilter_reload() { - echo "Reloading ipfilter rules." + if checkyesno ipfilter_ippool_enable; then + if [ -r "${ippool_rules}" ]; then + echo "Reloading ippool rules." + ${ippool_program:-/sbin/ippool} -F + ${ippool_program:-/sbin/ippool} \ + -f "${ippool_rules}" ${ippool_flags} + fi + fi + echo "Reloading ipfilter rules." ${ipfilter_program:-/sbin/ipf} -I -Fa if [ -r "${ipfilter_rules}" ]; then ${ipfilter_program:-/sbin/ipf} -I \ --- ipfilter.diff ends here --- --- chapter.sgml.diff begins here --- --- /usr/doc/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml 2009-11-27 12:11:33.000000000 -0500 +++ /tmp/chapter.sgml 2009-12-04 20:19:23.000000000 -0500 @@ -653,6 +653,16 @@ # v = log tcp window, ack, seq # n = map IP & port to names</programlisting> + <para>If the use of ippools is desired, the following lines need to be + added to enable the ippool functionality:</para> + + <programlisting>ipfilter_ippool_enable="NO" # Set to YES to enable ippool functionality +ippool_program="/sbin/ippool" # where the ippool program lives +ippool_rules="/etc/ippool.conf" # rules definition file for ippool, see + # /usr/src/contrib/ipfilter/rules/pool.conf + # for example +ippool_flags="" # additional flags for ippool</programlisting> + <para>If there is a LAN behind this firewall that uses the reserved private IP address ranges, the following lines will have to be added to enable <acronym>NAT</acronym> @@ -701,6 +711,26 @@ </sect2> <sect2> + <title>IPPOOL</title> + + <indexterm><primary><command>ippool</command></primary></indexterm> + + <para>The &man.ippool.8; command is used to load your ippool + configuration file. The following commands can be used to flush + the loaded pools from the kernel and then load a pool configuration + from a file:</para> + + <screen>&prompt.root; <userinput>ippool -F</userinput> + &prompt.root; <userinput>ippool -f /etc/ippool.conf</userinput></screen> + + <para>See the &man.ippool.8; manual page for details on the other + flags available with this command.</para> + + <para>The &man.ippool.8; command expects the configuration file to be a + standard text file.</para> + </sect2> + + <sect2> <title>IPFSTAT</title> <indexterm><primary><command>ipfstat</command></primary></indexterm> --- chapter.sgml.diff ends here --- _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[email protected]"
