tech-security: Re: pf's rc.d script & startup priority

Subject: Re: pf's rc.d script & startup priority
To: Luke Mewburn <lukem@NetBSD.org>
From: Peter Postma <peter@pointless.nl>
List: tech-security
Date: 08/08/2005 02:45:49
--T4sUOijqQbZv57TR
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Mon, Aug 08, 2005 at 10:27:10AM +1000, Luke Mewburn wrote:
> On Mon, Aug 08, 2005 at 02:14:01AM +0200, Peter Postma wrote:
>   | > 	Does rc.d/pf rely upon /usr as part of its startup?
>   | > 	I don't think it does, unless pfspamd [from pkgsrc?]
>   | > 	or other /usr-located programs are needed by pf.
>   | > 
>   | 
>   | Yes, if used as LKM. But if we start it after the LKMs then it should be
>   | fine.
> 
> That could introduce a weird dependency ordering;
> this will probably only work if pf is a BEFORENET lkm
> (in lkm.conf) which means that /usr needs to be available 
> for this to work.
> Testing this theory will be required.
> 

Ok, but being a BEFORENET only LKM is not so bad. IPfilter is it too. :)

>   | I've tried the REQUIRE line from the ipfilter script in the pf script but it
>   | still gets ordered too late. Do you have a suggestion?
> 
> That's because rc.d/network REQUIREs ipfilter.
> You could try
> 	BEFORE: network
> in rc.d/pf.
> 

Ah that helps. The ordering is now lkm1, pf, veriexec, ipsec, ipfilter, etc..

I've attached the diff with changes to the pf script, please review. I've
not yet tested if it works with the LKM, will do that later.

-- 
Peter Postma

--T4sUOijqQbZv57TR
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=diff

Index: pf
===================================================================
RCS file: /cvsroot/src/etc/rc.d/pf,v
retrieving revision 1.4
diff -u -u -r1.4 pf
--- pf	7 Aug 2005 01:03:39 -0000	1.4
+++ pf	8 Aug 2005 00:42:05 -0000
@@ -4,19 +4,37 @@
 #
 
 # PROVIDE: pf
-# REQUIRE: NETWORKING
-# BEFORE: SERVERS
+# REQUIRE: root beforenetlkm mountcritlocal tty
+# BEFORE: network
 
 $_rc_subr_loaded . /etc/rc.subr
 
 name="pf"
 rcvar=$name
+start_precmd="pf_prestart"
 start_cmd="pf_start"
 stop_cmd="pf_stop"
 reload_cmd="pf_reload"
 status_cmd="pf_status"
 extra_commands="reload status"
 
+pf_prestart()
+{
+	if [ ! -f ${pf_rules} ]; then
+		warn "${pf_rules} not readable; pf start aborted."
+
+		# If booting directly to multiuser, send SIGTERM to
+		# the parent (/etc/rc) to abort the boot
+		if [ "$autoboot" = yes ]; then
+			echo "ERROR: ABORTING BOOT (sending SIGTERM to parent)!"
+			kill -TERM $$
+			exit 1
+		fi
+		return 1
+	fi
+	return 0
+}
+
 pf_start()
 {
 	echo "Enabling pf firewall."

--T4sUOijqQbZv57TR--