current-users: Re: Testers needed: vlan and ipf

Subject: Re: Testers needed: vlan and ipf
To: None <current-users@netbsd.org>
From: Matthias Scheler <tron@zhadum.de>
List: current-users
Date: 10/01/2002 20:56:16
In article <20020929204123.GA2975@antioche.eu.org>,
	Manuel Bouyer <bouyer@antioche.eu.org> writes:
>> Could someone with a working vlan setup try the latest -current with
>> ipf 3.4.29 and test if PR#16278 is still valid?
> yes it's still there.

Not really.

> /etc/rc.d/network has a workaround, which is to call 'ipf -y' after
> once network is up. But with the ipf default as "pass all", there is
> a window where traffic which should be blocked is not.

Yes, indeed.

> A better workaround would be to change /etc/rc.d/network to create
> the needed cloning interfaces, sync ipf, then continue with the
> network setup.
> While there it would be nice if /etc/rc.d/network stop destroyed cloning
> interfaces :)

This patch should accomplish both:

Index: network
===================================================================
RCS file: /cvsroot/basesrc/etc/rc.d/network,v
retrieving revision 1.38
diff -u -r1.38 network
--- network	2002/05/04 13:53:02	1.38
+++ network	2002/10/01 20:54:16
@@ -185,6 +185,13 @@
 		echo -n 'Configuring network interfaces:'
 		for int in $tmp; do
 			eval args=\$ifconfig_$int
+			if [ -n "$args" ] || [ -f /etc/ifconfig.$int ]; then
+				if ifconfig $int create 2>/dev/null && \
+				   checkyesno ipfilter; then
+					# resync ipf(4)
+					ipf -y >/dev/null
+				fi
+			fi
 			if [ -n "$args" ]; then
 				echo -n " $int"
 				ifconfig $int $args
@@ -193,7 +200,7 @@
 				while read args; do
 					[ -z "$args" ] && continue
 					case "$args" in
-					"#"*)
+					"#"*|create)
 						;;
 					"!"*)
 						eval ${args#*!}
@@ -308,11 +315,6 @@
 		fi
 	fi
 
-	# resync ipf(4)
-	if checkyesno ipfilter; then
-		/sbin/ipf -y
-	fi
-
 	# XXX this must die
 	if [ -s /etc/netstart.local ]; then
 		sh /etc/netstart.local start
@@ -360,6 +362,11 @@
 			if [ -n "$args" ] || [ -f /etc/ifconfig.$int ]; then
 				echo -n " $int"
 				ifconfig $int down
+				if ifconfig $int destroy 2>/dev/null && \
+				   checkyesno ipfilter; then
+					# resync ipf(4)
+					ipf -y >/dev/null
+				fi
 			fi
 		done
 		echo "."
@@ -369,12 +376,7 @@
 	#
 	route -n flush
 
-	# resync ipf(4)
-	if checkyesno ipfilter; then
-		/sbin/ipf -y
-	fi
-
 }
 
-load_rc_config $name
+load_rc_config $name ipfilter
 run_rc_command "$1"

Could you please test it?

	Kind regards

-- 
Matthias Scheler                                  http://scheler.de/~matthias/