NetBSD Problem Report #42119

From Wolfgang.Stukenbrock@nagler-company.com  Thu Sep 24 08:12:07 2009
Return-Path: <Wolfgang.Stukenbrock@nagler-company.com>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by www.NetBSD.org (Postfix) with ESMTP id 4C02F63B850
	for <gnats-bugs@gnats.NetBSD.org>; Thu, 24 Sep 2009 08:12:07 +0000 (UTC)
Message-Id: <20090924081203.179014EA9FE@s012.nagler-company.com>
Date: Thu, 24 Sep 2009 10:12:03 +0200 (CEST)
From: Wolfgang.Stukenbrock@nagler-company.com
Reply-To: Wolfgang.Stukenbrock@nagler-company.com
To: gnats-bugs@gnats.NetBSD.org
Subject: ippool startup script missing
X-Send-Pr-Version: 3.95

>Number:         42119
>Category:       security
>Synopsis:       ippool startup script missing
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    security-officer
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Thu Sep 24 08:15:00 +0000 2009
>Originator:     Wolfgang Stukenbrock
>Release:        NetBSD 4.0
>Organization:
Dr. Nagler & Company GmbH

>Environment:


System: NetBSD s012 4.0 NetBSD 4.0 (NSW-S012) #9: Fri Mar 13 12:31:52 CET 2009 wgstuken@s012:/usr/src/sys/arch/amd64/compile/NSW-S012 amd64
Architecture: x86_64
Machine: amd64
>Description:
	The ippool mechanism is a way to define sets of addresses for e.g. filter rules for ipf(8).
	In order to use it, it is nessesary to load the pools prior loading the filter rules during
	system boot.
	Now there are two things that must be changed in order to make ippool usable in system configuration.
	1. move the ippool program from /usr/sbin to /sbin because /usr is no availabe at the time the
	   program is needed.
	2. enhance the ipfilter startup script to support ippool startup too.

	It makes no sence to introduce a new startup script for ippool, because at least the setup of
	pools for filter rules is tied very closely to the ipfilter startup.
	e.g. "ipf -E" must be run before pools can be loaded.
	Normaly pools and filter rules must be reloaded at the same time.

	There is still a problem with ipool in the actual implementation, because ipool has no active an inactive set
	of pool-data. So there is a problem when reloading the rules, because this must be done before the
	new fitler rules can be loaded into the inactive pool. But for that the old pools must be destroyed - this
	will blow up the running configuration.
	The startupscript enhancemnt below will save the old pool setup and tries to restore it if loading the new
	rule in a reload operation will fail for any reasons.
	This is only a workaround that should be removed when ippool gets active/inactive sets in the kernel - at least
	for the filter part.
>How-To-Repeat:
	Try to use ippool in system config. You will not be able to boot the system in the correct way anymore.
>Fix:
	The following three files need changes:

	1. /usr/src/distrib/sets/lists/base/mi - move the ippool program from /usr/sbin to /sbin.

--- mi	2009/03/17 13:50:26	1.4
+++ mi	2009/09/22 08:00:09
@@ -153,6 +153,7 @@
 ./sbin/ifconfig					base-netutil-root
 ./sbin/init					base-sysutil-root
 ./sbin/ipf					base-ipf-root		ipfilter
+./sbin/ippool					base-ipf-root		ipfilter
 ./sbin/ipppctl					base-netutil-root
 ./sbin/ispppcontrol				base-obsolete		obsolete
 ./sbin/lmcctl					base-obsolete		obsolete
@@ -1072,7 +1073,6 @@
 ./usr/sbin/ipftest				base-ipf-bin		ipfilter
 ./usr/sbin/ipmon				base-ipf-bin		ipfilter
 ./usr/sbin/ipnat				base-ipf-bin		ipfilter
-./usr/sbin/ippool				base-ipf-root		ipfilter
 ./usr/sbin/ipresend				base-ipf-bin		ipfilter
 ./usr/sbin/ipsend				base-ipf-bin		ipfilter
 ./usr/sbin/iptest				base-ipf-bin		ipfilter


	2. /usr/src/usr.sbin/ipf/ippool/Makefile - move the ippool program from /usr/sbin to /sbin - just like for the ipf program ..

--- Makefile	2009/09/22 07:49:10	1.1
+++ Makefile	2009/09/22 07:53:00
@@ -1,5 +1,7 @@
 #	$NetBSD: Makefile,v 1.8 2004/04/04 15:59:44 mrg Exp $

+.include <bsd.own.mk>           # for MKDYNAMICROOT definition
+
 PROG=		ippool
 SRCS=		ippool_y.c ippool_l.c kmem.c ippool.c
 MAN=		ippool.5 ippool.8
@@ -33,4 +35,9 @@
 	sed -e 's/yy/ippool_yy/g' \
 	    ${.ALLSRC} > ${.TARGET}

+BINDIR=         /sbin
+.if (${MKDYNAMICROOT} == "no")
+LDSTATIC?=      -static
+.endif
+
 .include <bsd.prog.mk>


	3. enhance the ipfiter startup script /usr/src/etc/rc.d/ipfilter
	   introduce a new variable "ippool" - this version of the script accepts a missing definition in /etc/defaults/rc.conf

--- ipfilter	2009/09/22 08:05:37	1.1
+++ ipfilter	2009/09/22 08:50:45
@@ -37,6 +37,15 @@
 		fi
 		return 1
 	fi
+	if [ ! -f /etc/ippool.conf ] && checkyesno ippool; then
+		warn "/etc/ippool.conf not readable; ipfilter/ippool start aborted."
+		if [ "$autoboot" = yes ]; then
+			echo "ERROR: ABORTING BOOT (sending SIGTERM to parent)!"
+			kill -TERM $$
+			exit 1
+		fi
+		return 1
+	fi
 	return 0
 }

@@ -45,6 +54,14 @@
 	echo "Enabling ipfilter."
 	/sbin/ipf -E

+	if [ -f /etc/ippool.conf ] && checkyesno ippool ; then
+		echo "Loading ippool definitions."
+		/sbin/ippool -F
+			# Now load the config files
+			#
+		/sbin/ippool -f /etc/ippool.conf
+	fi
+													       
 		# Do the flush first; since older ipf has different semantics.
 		#
 	if [ -f /etc/ipf.conf ]; then
@@ -66,14 +83,45 @@

 ipfilter_stop()
 {
+		# /sbin/ipf -D also flushes ippools
+		#
 	echo "Disabling ipfilter."
 	/sbin/ipf -D
 }

+reload_saved_ippool()
+{
+	/sbin/ippool -F
+	echo "$saved_ippool_rules" | /sbin/ippool -f -
+}
+
 ipfilter_reload()
 {
-	echo "Reloading ipfilter rules."
+	if [ -f /etc/ippool.conf ] && checkyesno ippool ; then
+		echo "Reloading ippool definitions."
+# attention: there is only one pool set - no active/inactive set available
+#            So we have a problem here!
+#            If reloading of the ipfilter rules into inactive set fails later
+#            then nothing should happen.
+#            But we need to setup the new pools prior loading the new filter rules into
+#            the inactive set.
+#            So we save the current pool setup in order to reactivate them
+#            if loading failes below
+#
+#            This is not 100% save, because loading the new pools while the old rules
+#            are still active, we may open a whole in the firewall for a short moment.
+#            But until pools also supports active and inactive sets, there is no way
+#            to solve this problem - sorry.
+#
+		saved_ippool_rules="`/sbin/ippool -l 2>/dev/null`"
+		/sbin/ippool -F
+		if ! /sbin/ippool -f /etc/ippool.conf; then
+			reload_saved_ippool
+			err 1 "reload of ippool.conf failed; not swapping to new ruleset."
+		fi
+	fi

+	echo "Reloading ipfilter rules."
 		# Do the flush first; since older ipf has different semantics.
 		#
 	if [ -f /etc/ipf.conf ]; then
@@ -86,9 +134,11 @@
 		# Now load the config files into the Inactive set
 		#
 	if [ -f /etc/ipf.conf ] && ! /sbin/ipf -I -f /etc/ipf.conf; then
+		reload_saved_ippool
 		err 1 "reload of ipf.conf failed; not swapping to new ruleset."
 	fi
 	if [ -f /etc/ipf6.conf ] && ! /sbin/ipf -I -6 -f /etc/ipf6.conf; then
+		reload_saved_ippool
 		err 1 "reload of ipf6.conf failed; not swapping to new ruleset."
 	fi

@@ -104,8 +154,29 @@

 ipfilter_status()
 {
+	if [ -f /etc/ippool.conf ] && checkyesno ippool ; then
+		echo "Ippool status:"
+		/sbin/ippool -s
+		echo ""
+		echo "Ipfilter status:"
+	fi
 	/sbin/ipf -V
 }

 load_rc_config $name
+
+	# If "force" or "one" prefix run also ippool even if not enabled
+	#
+case "$1" in
+force*|one*)
+	ippool=YES
+	;;
+*)
+	load_rc_config_var ippool ippool
+	;;
+esac
+
+# set default to NO here - do not report missing setting in /etc/defaults/rc.conf
+if [ -z "$ippool" ]; then ippool=NO; fi
+
 run_rc_command "$1"

>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.