netbsd-users: Re: ipnat/ipfilter bug?

Subject: Re: ipnat/ipfilter bug?
To: Rasputin <rasputin@idoru.mine.nu>
From: Andrew Doran <ad@netbsd.org>
List: netbsd-users
Date: 05/15/2002 15:53:53

Rasputin <rasputin@idoru.mine.nu> wrote:

> * Dawid Szymañski <dawszy@arhea.net> [020515 15:35]:
> > On Wed, May 15, 2002 at 12:42:13PM +0100, Rasputin wrote:
> > => 
> > => Hi there, I think I've found a bug in the rc scripts on 1.5.3RC_2?
> > => 
> > => What seems to happen is that if you restart ipfilter
> > => after a ruleset change, using '/etc/rc.d/ipfilter restart'
> > => the NAT tables are flushed but not repopulated.
> > 
> > /etc/rc.d/ipnat restart ?:)
> 
> No, no, I can workaround it, I'm just saying it violates POLA to
> have the packet filter restart bring down the NAT config.

Use "/etc/rc.d/ipfilter reload" instead:

ipfilter_reload()
{
        echo "Reloading ipfilter rules."

        /sbin/ipf -I -Fa
        if [ -f /etc/ipf.conf ] && ! /sbin/ipf -I -f /etc/ipf.conf; then
                err 1 "reload of ipf.conf failed; not swapping to new ruleset."
        fi
        if [ -f /etc/ipf6.conf ] && ! /sbin/ipf -I -6 -f /etc/ipf6.conf; then
                err 1 "reload of ipf6.conf failed; not swapping to new ruleset."
        fi
        /sbin/ipf -s
}

Andrew