netbsd-bugs: misc/28757: /etc/rc.d/ipfilter with no IPV6

Subject: misc/28757: /etc/rc.d/ipfilter with no IPV6
To: None <misc-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <jdwhite@jdwhite.org>
List: netbsd-bugs
Date: 12/22/2004 22:09:00

>Number:         28757
>Category:       misc
>Synopsis:       /etc/rc.d/ipfilter does not consistantly check for IPV6 support
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    misc-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Dec 22 22:09:00 +0000 2004
>Originator:     Jason White
>Release:        NetBSD 2.0
>Organization:
Jason White (jdwhite@jdwhite.org)        http://www.jdwhite.org/~jdwhite
Jabber:jdwhite(jabber.org)              IRC:irc.netbsd.org/{jdwhite,jdw}
PGP KeyID: 0x5290E477/A8A2 3FDB AB33 98EB ED74  EDAA F538 9A30 5290 E477
>Environment:
System: NetBSD wombats.yi.org 2.0 NetBSD 2.0 (WOMBATS) #8: Mon Nov 29 21:18:07 CST 2004  gendalia@satai:/usr/obj/i386/WOMBATS i386
Architecture: i386
Machine: i386
>Description:
	On systems with no IPv6 support /etc/rc.d/ipfilter issues flush
commands during 'start' and 'reload' that result in "ioctl(SIOCIPFL6): 
Invalid argument" errors.

>How-To-Repeat:
	Invoke /etc/rc.d/ipfilter on a system with no IPv6 in kernel.

>Fix:
	Check for existance of /etc/ipf.conf and /etc/ipf6.conf before 
*every* v4 and v6 flush.  Patch follows.

 diff -u ipfilter.orig ipfilter
--- ipfilter.orig       2004-12-22 15:28:37.000000000 -0600
+++ ipfilter    2004-12-22 15:55:23.000000000 -0600
@@ -44,8 +44,12 @@
 {
        echo "Enabling ipfilter."
        /sbin/ipf -E
-       /sbin/ipf -Fa
-       /sbin/ipf -6 -Fa
+       if [ -f /etc/ipf.conf ]; then
+               /sbin/ipf -Fa
+       fi
+       if [ -f /etc/ipf6.conf ]; then
+               /sbin/ipf -6 -Fa
+       fi
        if [ -f /etc/ipf.conf ]; then
                /sbin/ipf -f /etc/ipf.conf
        fi
@@ -64,8 +68,12 @@
 {
        echo "Reloading ipfilter rules."
 
-       /sbin/ipf -I -Fa
-       /sbin/ipf -6 -I -Fa
+       if [ -f /etc/ipf.conf ]; then
+               /sbin/ipf -I -Fa
+       fi
+       if [ -f /etc/ipf6.conf ]; then
+               /sbin/ipf -6 -I -Fa
+       fi
        if [ -f /etc/ipf.conf ] && ! /sbin/ipf -I -f /etc/ipf.conf; then
                err 1 "reload of ipf.conf failed; not swapping to new ruleset."
        fi


If it's permissible to flush and load v4, then flush and load v6, then 
we'd only need to check for /etc/ipf.conf and /etc/ipf6.conf once during 
start and reload, but since the original script flushed both v4 and v6 
before loading v4 and v6 I followed the same pattern.