Automatically create and destroy cloning interfaces and sync IP Filter

immediately afterwards before bringing the interface up. This avoids a small security gap existing in the previous scheme where IP Filter was synced after all cloning interfaces were created and brought up.
2002-10-05 05:24:40 +00:00 · 2002-10-05 05:24:40 +00:00 · 6e40068171
parent cb48eb573f
commit 6e40068171
2 changed files with 22 additions and 15 deletions
--- a/etc/rc.d/network
+++ b/etc/rc.d/network
@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# $NetBSD: network,v 1.38 2002/05/04 13:53:02 tron Exp $
+# $NetBSD: network,v 1.39 2002/10/05 05:24:40 tron Exp $
 #

 # PROVIDE: network
@ -185,6 +185,13 @@ network_start()
 		echo -n 'Configuring network interfaces:'
 		for int in $tmp; do
 			eval args=\$ifconfig_$int
+			if [ -n "$args" ] || [ -f /etc/ifconfig.$int ]; then
+				if ifconfig $int create 2>/dev/null && \
+				   checkyesno ipfilter; then
+					# resync ipf(4)
+					ipf -y >/dev/null
+				fi
+			fi
 			if [ -n "$args" ]; then
 				echo -n " $int"
 				ifconfig $int $args
@ -193,7 +200,7 @@ network_start()
 				while read args; do
 					[ -z "$args" ] && continue
 					case "$args" in
-					"#"*)
+					"#"*|create)
 						;;
 					"!"*)
 						eval ${args#*!}
@ -308,11 +315,6 @@ network_start()
 		fi
 	fi

-	# resync ipf(4)
-	if checkyesno ipfilter; then
-		/sbin/ipf -y
-	fi
-
 	# XXX this must die
 	if [ -s /etc/netstart.local ]; then
 		sh /etc/netstart.local start
@ -360,6 +362,11 @@ network_stop()
 			if [ -n "$args" ] || [ -f /etc/ifconfig.$int ]; then
 				echo -n " $int"
 				ifconfig $int down
+				if ifconfig $int destroy 2>/dev/null && \
+				   checkyesno ipfilter; then
+					# resync ipf(4)
+					ipf -y >/dev/null
+				fi
 			fi
 		done
 		echo "."
@ -369,12 +376,7 @@ network_stop()
 	#
 	route -n flush

-	# resync ipf(4)
-	if checkyesno ipfilter; then
-		/sbin/ipf -y
-	fi
-
 }

-load_rc_config $name
+load_rc_config $name ipfilter
 run_rc_command "$1"
--- a/share/man/man5/ifconfig.if.5
+++ b/share/man/man5/ifconfig.if.5
@ -1,4 +1,4 @@
-.\"	$NetBSD: ifconfig.if.5,v 1.5 2001/12/14 15:12:39 wiz Exp $
+.\"	$NetBSD: ifconfig.if.5,v 1.6 2002/10/05 05:24:41 tron Exp $
 .\"
 .\" Copyright (c) 1996 Matthew R. Green
 .\" All rights reserved.
@ -91,12 +91,17 @@ up
 The following example is for dynamically-created pseudo interfaces like
 .Xr gif 4 :
 .Bd -literal -offset indent
-create
 up
 # configure IPv6 default route toward the interface
 !route add -inet6 default ::1
 !route change -inet6 default -ifp $int
 .Ed
+.Pp
+Earlier versions of
+.Pa /etc/rc.d/network
+required an explicit
+.Sq create
+command for such interfaces. This is now handled automatically.
 .Sh FILES
 .Pa /etc/rc.d/network
 .Sh SEE ALSO