Re: -E flag in /etc/rc.d/ipfilter causes warnings

From: Mike Bohan <bogin_at_shortcircut.org> Date: 16 Jun 2003 23:02:16 -0400 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:12 UTC

That's actually how I interpreted the man page too (the way you did),
but rc.conf says the inverse, and my testing corresponds to this as
well...

ipfilter_flags=""               # should be *empty* when ipf is _not_ a
module
                                # (i.e. compiled into the kernel) to
                                # avoid a warning about "already
initialized"

I agree there's no easy solution with the rc.d start/stop
functionality.  I'll let the list know if I come up with an alternate
method.  

-- 
Mike Bohan <bogin_at_shortcircut.org>

On Mon, 2003-06-16 at 22:39, Mike Makonnen wrote:
> On 16 Jun 2003 21:35:44 -0400
> Mike Bohan <bogin_at_shortcircut.org> wrote:
> 
> > Hello there,
> > 
> > 	I recently ran into a slight issue with ipfilter running on
> > 5.1-RELEASE.  My machine serves the simple purpose as a nat gateway, so
> > ipfilter is always going to be necessary on it.  Due to this fact, i
> > decided to  include options IPFILTER in the kernel config, instead of
> > dynamically loading the ipl.ko module.  However, when ipfilter is used
> > in the kernel image, it's automatically initialized (and thus does not
> > need the -E flag).  
> 
> hmm... I thought it was the other way around (it's not effective when loaded as
> a module), but I may have misunderstood the man page.
> 
> >This has been noted in rc.conf for some time, and I
> > of course removed the -E from the      
> > ipfilter_flags variable in that file.  However, after booting my kernel
> > with the IPFILTER options, I noticed warnings in my kernel logs that
> > "ipfilter has already been initialized", which is consistent with using
> > flag -E when ipf is already initialized.  After some brief analysis, I
> > discovered that /etc/rc.d/ipfilter actually uses -E in the shell script
> > function, ipfilter_start(). After removing the two instances of the -E
> > and rebooting, the warning messages disappeared at boot time.  Is this a
> > known glitch in the hopes that people start soley using the ipl kernel
> > module? It's really not a big deal either way, but I was more just
> > curious than anything in which direction it's going.  Thanks in advance!
> > 
> 
> I believe it's harmless, and while not aesthetically pleasing, it's a necessary
> work-around. The stop command to rc.d/ipfilter uses -D to disable ipfilter, so
> it's necessary to use -E with the start command because there's no way to know
> how/when/why/in-what-environment it's being called. If I'm wrong or you have a
> better alternative to this please let me know.
> 
> Cheers.