tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

The rcd script for ippools


the IP Filter ippool(8) facility is very convenient feature when you're
required to reference a group of IP addresses for which aggregation is
not possible. As the ippools are rare used in simple (or continuous)
networks it seem was a reason for missing the usual way to load them
from within rc.d scripts framework. Therefore I'd like to share my
rcd patch for ippools management.

The ippools are using standalone ippool(8) utility for pools
manipulation, and it may seem that dedicated rc.d/ippool script
should be used, but please take the following caveats in account:

- ippools can be loaded only after ipf was enabled (via ipf -E), it
  would lead to duplicating code from rc.d/ipfilter

- if ipf rules are referring to non-existent (or just not yet loaded)
  pools the corresponding rules will not be loaded therefore leaving
  your firewall malfunctioning as long as much it would took to fix
  all errors. In such case ipf can fall back to previous rules, but
  they may not coincide with new pools anymore

- when you're changing ippool tables layout, the ipf has to be
  reloaded. Reload isn't required on address list alteration within a
  pool, but from own experience I found that list of networks is
  changed far more rare than pools configuration itself (i.e.
  particularly pools/tables numbering)

For the reasons above I decided to integrate ippool into rc.d/ipfilter
(although initially I used it as separate rcd script for some time).
Please take a look to the patch attached.

And, of course, any comments and objections are welcome.

Index: ipfilter
RCS file: /cvsroot/src/etc/rc.d/ipfilter,v
retrieving revision 1.18
diff -u -r1.18 ipfilter
--- ipfilter    23 Mar 2009 18:52:02 -0000      1.18
+++ ipfilter    10 Nov 2009 16:28:39 -0000
@@ -46,9 +46,16 @@
        if [ -f /etc/ipf6.conf ]; then
                /sbin/ipf -6 -Fa
+       if [ -f /etc/ippool.conf ]; then
+               echo -n "ippool: "
+               /usr/sbin/ippool -F
+       fi
-               # Now load the config files
+               # Now load the config files, with pools first
+       if [ -f /etc/ippool.conf ]; then
+               /usr/sbin/ippool -f /etc/ippool.conf
+       fi
        if [ -f /etc/ipf.conf ]; then
                /sbin/ipf -f /etc/ipf.conf
@@ -76,15 +83,35 @@
                /sbin/ipf -6 -I -Fa
-               # Now load the config files into the Inactive set
+               # The ipf requires ipfilter pools loaded first.
+               # As ippool doesn't supports inactive sets we should
+               # check its syntax, backup old configuration, and
+               # install new pools to allow ipf load new rulesets
+               #
+       ippool_conf_old=""
+       if [ -f /etc/ippool.conf ]; then
+               if ! /usr/sbin/ippool -f /etc/ippool.conf -n; then
+                       err 1 "ippool.conf syntax check failed; aborting."
+               fi
+               ippool_conf_old=$(/usr/sbin/ippool -l)
+               /usr/sbin/ippool -F > /dev/null
+               /usr/sbin/ippool -f /etc/ippool.conf
+       fi
+               # Now load the config files into the Inactive set,
+               # and restore ippool configuration in case of failure
        if [ -f /etc/ipf.conf ] && ! /sbin/ipf -I -f /etc/ipf.conf; then
+               if [ -n "$ippool_conf_old" ]; then
+                       /usr/sbin/ippool -F > /dev/null
+                       echo "$ippool_conf_old" | /usr/sbin/ippool -f -
+               fi
                err 1 "reload of ipf.conf failed; not swapping to new ruleset."
        if [ -f /etc/ipf6.conf ] && ! /sbin/ipf -I -6 -f /etc/ipf6.conf; then
                err 1 "reload of ipf6.conf failed; not swapping to new ruleset."
                # Swap in the new rules
        /sbin/ipf -s

Home | Main Index | Thread Index | Old Index