rc.d/ipfilter: ipfilter must be enabled for options to take

ipfilter options are erased and reset to default when ipfilter is
disabled. This results in nullifying options from rc.conf that were
prev

rc.d/ipfilter: ipfilter must be enabled for options to take

ipfilter options are erased and reset to default when ipfilter is
disabled. This results in nullifying options from rc.conf that were
previously set.

8d6feaaaa26f, which added this code, was incorrect as it was for a bug in
ipfilter 4.2.28 and no longer applies to ipfilter 5.1.2.

Fixes: 8d6feaaaa26f
MFC after: 1 day

show more ...

rc.d/{ipfilter,ippool}: Fix typo in variable name

MFC after: 1 day

ipfilter: Set ipf -T optionlist at boot

There is no easy way to set ipfilter optionlist variables during boot.
Add plumbing to the rc script to support this.

PR: 130555
Reviewed by: jlduran
MFC

ipfilter: Set ipf -T optionlist at boot

There is no easy way to set ipfilter optionlist variables during boot.
Add plumbing to the rc script to support this.

PR: 130555
Reviewed by: jlduran
MFC 1 week
Differential Revision: https://reviews.freebsd.org/D47346

show more ...

rc.d: add a service jails config to all base system services

This gives more permissions to services (e.g. network access to
services which require this) when they are started as an automatic
servic

rc.d: add a service jails config to all base system services

This gives more permissions to services (e.g. network access to
services which require this) when they are started as an automatic
service jail.

The sshd patch is important for the sshd-related functionality as
described in the man-page in the service jails part.

The location of the added env vars is supposed to allow overriding them
in rc.conf, and to hard-disable the use of svcj for some parts where it
doesn't make sense or will not work.

Only a subset of all of the services are fully tested (I'm running this
since more than a year with various services started as service jails).
The untested parts should be most of the time ok, in some edge-cases
more permissions are needed inside the service jail.
Differential Revision: https://reviews.freebsd.org/D40371

show more ...

Remove $FreeBSD$: one-line sh pattern

Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/

Remove the redundant ipfilter IPv6 rc rules load.

As of ipfilter 5.1.2 the IPv4 and IPv6 rules tables have been merged.
The ipf(8) -6 option has been a NOP since then. Currently the additional
ipf -

Remove the redundant ipfilter IPv6 rc rules load.

As of ipfilter 5.1.2 the IPv4 and IPv6 rules tables have been merged.
The ipf(8) -6 option has been a NOP since then. Currently the additional
ipf -6 load statement in rc.d/ipfilter simply added the second ipfilter
rules file to the table already populated by the previous ipf command.
Plenty of time has passed since ipfilter 5.1.2 was imported. It is time to
remove the option from rc.conf and the rc script.

Differential Revision: https://reviews.freebsd.org/D28615

show more ...

When booting a system with WITHOUT_IPFILTER the following errors
are encountered at boot time:

rcorder: requirement `ipfs' in file `/etc/rc.d/netif' has no providers.
rcorder: requirement `ipfilter'

When booting a system with WITHOUT_IPFILTER the following errors
are encountered at boot time:

rcorder: requirement `ipfs' in file `/etc/rc.d/netif' has no providers.
rcorder: requirement `ipfilter' in file `/etc/rc.d/netif' has no
providers.
rcorder: requirement `ipfilter' in file `/etc/rc.d/netwait' has no
providers.
rcorder: requirement `ipfilter' in file `/etc/rc.d/net_watchdog' has no
providers.
rcorder: requirement `ipfilter' in file `/etc/rc.d/securelevel' has no
providers.

Listing its own requrements in BEFORE rather than use REQUIRE of
non-optional scripts resolves this issue.

The issue was discovered and patched by glebius at Netflix.

Submitted by: glebius
Reported by: glebius
MFC after: 1 week

show more ...

Load ipfilter, ipnat, and ippool rules, and start ipmon in a vnet jail.

PR: 248109
Reported by: joeb1@a1poweruser.com
MFC after: 2 weeks

Move the rc framework out of sbin/init into libexec/rc.

The reasons for this are forward looking to pkgbase:
* /sbin/init is a special binary; try not to replace it with
every package update bec

Move the rc framework out of sbin/init into libexec/rc.

The reasons for this are forward looking to pkgbase:
* /sbin/init is a special binary; try not to replace it with
every package update because an rc script was touched.
(a follow-up commit will make init its own package)
* having rc in its own place will allow more easy replacement
of the rc framework with alternatives, such as openrc.

Discussed with: brd (during BSDCam), kmoore
Requested by: cem, bz
PR: 231522
Approved by: re (gjb)

show more ...

Move rc startup scripts from etc/ to sbin/init/

This keeps most startup scripts as CONFS per discussion on src-committers from
back during BSDCan.

Approved by: will (mentor)
Differential Revision:

Move rc startup scripts from etc/ to sbin/init/

This keeps most startup scripts as CONFS per discussion on src-committers from
back during BSDCan.

Approved by: will (mentor)
Differential Revision: https://reviews.freebsd.org/D16466

show more ...

- Add descriptions to most of the rc scripts. Those are mostly taken from their
daemon's manpage and probably improved.
- Consistently use "filesystem" not "file system".

Approved by: bapt, brueff

- Add descriptions to most of the rc scripts. Those are mostly taken from their
daemon's manpage and probably improved.
- Consistently use "filesystem" not "file system".

Approved by: bapt, brueffer
Differential Revision: D452

show more ...

ipfilter 5.1.2 (vs 4.1.28 in previous releases of FreeBSD) stores IPv4
and IPv6 rules in a single table. ipf -6 -Fa will flush the whole table,
including IPv4 rules. This patch removes the redundant

ipfilter 5.1.2 (vs 4.1.28 in previous releases of FreeBSD) stores IPv4
and IPv6 rules in a single table. ipf -6 -Fa will flush the whole table,
including IPv4 rules. This patch removes the redundant ipf -I -6 -Fa
statement.

PR: 188318
MFC after: 2 weeks

show more ...

ipfilter 5.1.2 no longer supports sysctl. Use ipf -V to determine if
available (the kernel module is loaded or compiled into the kernel).

Approved by: glebius (mentor)
Approved by: re (blanket)

Prepare for the removal of set_rcvar() by changing the rcvar=
assignments to the literal values it would have returned.

The concept of set_rcvar() was nice in theory, but the forks
it creates are a

Prepare for the removal of set_rcvar() by changing the rcvar=
assignments to the literal values it would have returned.

The concept of set_rcvar() was nice in theory, but the forks
it creates are a drag on the startup process, which is especially
noticeable on slower systems, such as embedded ones.

During the discussion on freebsd-rc@ a preference was expressed for
using ${name}_enable instead of the literal values. However the
code portability concept doesn't really apply since there are so
many other places where the literal name has to be searched for
and replaced. Also, using the literal value is also a tiny bit
faster than dereferencing the variables, and every little bit helps.

show more ...

Remove redundant keywords.

Submitted by: wxs

Make the pf and ipfw firewalls start before netif, just like ipfilter
already does. This eliminates a logical inconsistency, and a small
window where the system is open after the network comes up.

Remove $NetBSD$ CVS tags. We no longer attempt to synch our rc.d files
with theirs, so this information doesn't need to be in the live file.
Having it in our CVS history is enough.

FILESYSTEMS requires root, so requiring both of them is redundant.

Add a dummy script, FILESYSTEMS, which depends on root and mountcritlocal
and takes over mountcritlocal's role as the early / late divider. This
makes it far easier to add rc scripts which need to r

Add a dummy script, FILESYSTEMS, which depends on root and mountcritlocal
and takes over mountcritlocal's role as the early / late divider. This
makes it far easier to add rc scripts which need to run early, such as a
startup script for zfs, which is right around the corner.

This change should be a no-op; I have verified that the only change in
rcorder's output is the insertion of FILESYSTEMS immediately after
mountcritlocal.

MFC after: 3 weeks

show more ...

Use $required_modules wherever suitable. Use load_kld() in special
cases. So we get rid of quite a few lines of duplicated code.

Ensure that the load of rules into the alternate ruleset worked before
loading them into the live one too.

PR: conf/97311
Submitted by: David Bushong
Reviewed by: silence on rc@
Approved by: ru (me

Ensure that the load of rules into the alternate ruleset worked before
loading them into the live one too.

PR: conf/97311
Submitted by: David Bushong
Reviewed by: silence on rc@
Approved by: ru (mentor)
MFC after: 10 days

show more ...

`net.inet.ipf.fr_running' can be a negative value, which was introduced by
recent ipfilter import.

Approved by: re (scottl), anholt (mentor)

Unbreak the ipfilter_loaded function. There doesn't seem to be a way
for kldstat to ever print "IP Filter" (the module is called "ipfilter"
and modules don't have anything like a description), so thi

Unbreak the ipfilter_loaded function. There doesn't seem to be a way
for kldstat to ever print "IP Filter" (the module is called "ipfilter"
and modules don't have anything like a description), so this function
would always return false. That would cause prestart to attempt to
load the module even if it's already loaded, which would fail and
prevent the rules from being loaded.

Approved by: re (dwhite)

show more ...

Remove the requirement for the FreeBSD keyword as it no longer
makes any sense.

Discussed with: dougb, brooks
MFC after: 3 days

apply patch so pr can be closed

PR: misc/56715
Submitted by: grant@NetBSD.org
Reviewed by: darrenr