netbsd-bugs: bin/20786: check for rcvar in /etc/rc.d/* scripts can fail when it shouldn't

Subject: bin/20786: check for rcvar in /etc/rc.d/* scripts can fail when it shouldn't
To: None <gnats-bugs@gnats.netbsd.org>
From: None <pavel.cahyna@st.mff.cuni.cz>
List: netbsd-bugs
Date: 03/18/2003 08:50:58

>Number:         20786
>Category:       bin
>Synopsis:       check for rcvar in /etc/rc.d/* scripts can fail when it shouldn't
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Mar 18 08:52:00 PST 2003
>Closed-Date:
>Last-Modified:
>Originator:     Pavel Cahyna
>Release:        1.6_STABLE
>Organization:
>Environment:
>Description:
I had a problem with ipfilter/ipnat on boot which showed up to be a
problem of rc scripts.

In /etc/rc.d/ipnat, a check for ipfilter variable is performed:
        if ! checkyesno ipfilter || [ ! -f /etc/ipf.conf ]; then
                logger -s -p daemon.warning -t ipnat \
                        "Enabling ipfilter for NAT."
                /sbin/ipf -E -Fa
        fi


I have ipfilter turned on, as I use both ipfilter and ipnat. So
checkyesno should succeed and the code between if and fi should not 
be executed.

But, the ipfilter variable is not set in /etc/rc.conf , but in
/etc/rc.conf.d/ipfilter . (I believe this is perfectly legal, 
according to rc.conf(5).) 

As the ipnat script doesn't take the variables from
/etc/rc.conf.d/ipfilter , but only from /etc/rc.conf and
/etc/rc.conf.d/ipnat . So the script will incorrectly think that the
variable is not set, and the ipfilter rules are flushed.

Similar problem affects e.g. /etc/rc.d/nfsd, because it checks for
mountd and rpcbind, but will ignore them if they are set in
/etc/rc.conf.d/{mountd,rpcbind} and not in /etc/rc.conf .

IMHO the rc system should not break in this way when variables are 
set in /etc/rc.conf.d/. If it does, the whole /etc/rc.conf.d/ becomes
useless, if not harmful.
>How-To-Repeat:
enable ipfilter by setting ipfilter=YES in /etc/rc.conf.d/ipfilter. 
Enable ipnat. Reboot and see the ipnat script printing the "Enabling 
ipfilter for NAT" message which should not appear. At this moment, 
the ipfilter rules are flushed.
>Fix:

I believe the fix is simple. Add the line 
load_rc_config ipfilter

to /etc/rc.d/ipnat . And the same should be done for all the rc 
scripts which check "foreign" rc variables.

For example:
nfslocking checks for nfs_server, which can be set in 
/etc/rc.conf.d/nfsd.
network checks for dhclient, which can be set in .../dhclient.

amd, yppasswd, ypserv, nfsd checks for rpcbind, which can be set in
.../rpcbind.

nfsd checks for mountd, which can be set in .../mountd.

yppasswd checks for ypserv, which can be set in .../ypserv.

(those examples were found by running "grep required_vars *" and 
"grep checkyesno *" in /etc/rc.d .)
>Release-Note:
>Audit-Trail:
>Unformatted: