Page MenuHomeFreeBSD

rc: fix ipfw script after moving rc scripts around
Needs ReviewPublic

Authored by kevans on May 27 2025, 10:26 PM.
Tags
None
Referenced Files
F123472382: D50557.id156125.diff
Tue, Jul 15, 3:28 AM
Unknown Object (File)
Mon, Jul 14, 5:04 AM
Unknown Object (File)
Thu, Jul 10, 5:02 PM
Unknown Object (File)
Mon, Jul 7, 10:41 AM
Unknown Object (File)
Sun, Jul 6, 11:15 PM
Unknown Object (File)
Sat, Jul 5, 7:58 PM
Unknown Object (File)
Sat, Jul 5, 4:28 PM
Unknown Object (File)
Fri, Jul 4, 12:11 AM
Subscribers
None

Details

Reviewers
ivy
brooks
imp
Summary

The ipfw script requires the ppp script that's provided by another
package, so the firewall ends up failing closed at the moment as the
script runs too early (before interfaces are up) when it's missing. We
need a formal requirement on netif to prevent it, instead of relying
on transitive dependency via another optional component.

Fixes: f91d251b399af ("rc.d: move some rc scripts to their packages")

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 64480
Build 61364: arc lint + arc unit

Event Timeline

kevans created this revision.

The non-pkgbase breakage is that WITHOUT_PPP will no longer install the rc script and have the same problem. Also, the original commit is missing tools/build/mk/OptionalObsoleteFiles.inc entries for those that moved out of CONFS that weren't already in conditional blocks (e.g., ctld, natd (MK_IPFW), the pf* ones. ppp).

for pkgbase we probably need a way to indicate an optional dependency, or we're almost certainly going to run into more of these. this looks fine for now, though.

do you know why this dependency exists to begin with? i assume it's to make sure ppp's tun interface exists before ipfw loads?

This revision is now accepted and ready to land.May 27 2025, 11:11 PM
In D50557#1154149, @ivy wrote:

for pkgbase we probably need a way to indicate an optional dependency, or we're almost certainly going to run into more of these. this looks fine for now, though.

Probably we need an AFTER keyword for rcorder(8) to express things properly.

do you know why this dependency exists to begin with? i assume it's to make sure ppp's tun interface exists before ipfw loads?

Your guess is better than mine; that does make sense, though, as we presumably want all possible interfaces available before we start processing firewall rules.

I noticed that other things that require ppp also require netif (bridge, routing, NETWORKING). I wonder if they should also switch to this pattern.

Switch it up after discussion on IRC, make ipfw depend on both netif and ppp

This revision now requires review to proceed.May 28 2025, 12:06 AM