[patch] move ipfw logging to after syslogd

Hi

We have a problem that on our busy firewalls, a boot and shutdown
can be delayed by up to 20 minutes by the kernel printing log
messages for denied packets to the console.  The problem is that
most kernel activity appears to be suspended by outputting ipfw
logged messages via the serial console (but not even the video
console keeps up).  The kernel doesn't even respond to a serial
break.

Once syslogd starts it captures the log messages and the boot
continues at its normal pace.

I've a patch which moves the 'firewall_logging="YES"' processing
to another script that depends on syslogd and is run on shutdown.

If an rc guru can check that I've got the BEFORE condition right
in the new script and then comit this fix I'd appreciate it.

Ian

--
Ian Freislich


Index: rc.d/Makefile
===================================================================
RCS file: /home/ncvs/src/etc/rc.d/Makefile,v
retrieving revision 1.81
diff -u -d -r1.81 Makefile
--- rc.d/Makefile	9 Apr 2007 19:21:27 -0000	1.81
+++ rc.d/Makefile	11 Apr 2007 12:43:56 -0000
_at__at_ -16,7 +16,7 _at__at_
 	hcsecd \
 	hostapd hostid hostname \
 	idmapd inetd initrandom \
-	ip6addrctl ip6fw ipfilter ipfs ipfw ipmon \
+	ip6addrctl ip6fw ipfilter ipfs ipfw ipfw_logging ipmon \
 	ipnat ipsec ipxrouted isdnd \
 	jail \
 	kadmind kerberos kernel keyserv kldxref kpasswdd \
Index: rc.d/ipfw
===================================================================
RCS file: /home/ncvs/src/etc/rc.d/ipfw,v
retrieving revision 1.15
diff -u -d -r1.15 ipfw
--- rc.d/ipfw	2 Apr 2007 15:38:53 -0000	1.15
+++ rc.d/ipfw	11 Apr 2007 13:41:23 -0000
_at__at_ -1,6 +1,6 _at__at_
 #!/bin/sh
 #
-# $FreeBSD: src/etc/rc.d/ipfw,v 1.15 2007/04/02 15:38:53 mtm Exp $
+# $FreeBSD: src/etc/rc.d/ipfw,v 1.14 2006/12/31 10:37:18 yar Exp $
 #
 
 # PROVIDE: ipfw
_at__at_ -22,11 +22,17 _at__at_
 	# set the firewall rules script if none was specified
 	[ -z "${firewall_script}" ] && firewall_script=/etc/rc.firewall
 
+	# Make sure that logging is disabled.  On a firewall with
+	# a busy ethernet, the console messages are sufficient to
+	# delay the boot process for a long time if logging is enabled
+	# before syslogd.  Logging is enabled elsewhere.
+	sysctl net.inet.ip.fw.verbose=0 >/dev/null
+
 	if [ -r "${firewall_script}" ]; then
 		if [ -f /etc/rc.d/natd ] ; then
 			/etc/rc.d/natd start
 		fi
-		/bin/sh "${firewall_script}"
+		. "${firewall_script}"
 		echo 'Firewall rules loaded.'
 	elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then
 		echo 'Warning: kernel has firewall functionality, but' \
_at__at_ -34,13 +40,6 _at__at_
 		echo '           All ip services are disabled.'
 	fi
 
-	# Firewall logging
-	#
-	if checkyesno firewall_logging; then
-		echo 'Firewall logging enabled.'
-		sysctl net.inet.ip.fw.verbose=1 >/dev/null
-	fi
-
 	# Enable the firewall
 	#
 	${SYSCTL_W} net.inet.ip.fw.enable=1
Index: rc.d/ipfw_logging
===================================================================
RCS file: rc.d/ipfw_logging
diff -N rc.d/ipfw_logging
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ rc.d/ipfw_logging	11 Apr 2007 13:41:23 -0000
_at__at_ -0,0 +1,37 _at__at_
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+# PROVIDE: ipfw_logging
+# REQUIRE: syslogd
+# BEFORE: NETWORKING
+# KEYWORD: nojail shutdown
+
+. /etc/rc.subr
+. /etc/network.subr
+
+name="ipfw_logging"
+rcvar="firewall_enable"
+start_cmd="ipfw_logging_start"
+stop_cmd="ipfw_logging_stop"
+required_modules="ipfw"
+
+ipfw_logging_start()
+{
+	if checkyesno firewall_logging; then
+		echo 'Firewall logging enabled.'
+		sysctl net.inet.ip.fw.verbose=1 >/dev/null
+	fi
+}
+
+ipfw_logging_stop()
+{
+	if checkyesno firewall_logging; then
+		echo 'Firewall logging disabled.'
+		sysctl net.inet.ip.fw.verbose=0 >/dev/null
+	fi
+}
+
+load_rc_config $name
+run_rc_command "$1"