default to accept on GENERIC kernel

[Ole]

In my custom kernel with IPFIREWALL_DEFAULT_TO_ACCEPT, i see OID
(net.inet.ip.fw.default_to_accept) who has present in system and i can control him through loader.conf.

But ipfw.ko from GENERIC kernel does not produce this OID so, booting machine on GENERIC kernel with FIREWALL and "65535 pass ip from any to any" is not possible.

In /usr/src/sys/netinet/ipfw/ip_fw2.c

i see:

#ifdef SYSCTL_NODE
...
SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, default_to_accept, CTLFLAG_RDTUN,
    &default_to_accept, 0, "Make the default rule accept all packets.");
TUNABLE_INT("net.inet.ip.fw.default_to_accept", &default_to_accept);
#endif /* SYSCTL_NODE */

What is SYSCTL_NODE and why net.inet.ip.fw.default_to_accept not producing in ipfw.ko without IPFIREWALL_DEFAULT_TO_ACCEPT ?

 

[DutchDaemon]

Do you have [cmd=]sysctl net.inet.ip.fw.default_to_accept[/cmd]? It looks like a tunable sysctl.

 

[Ole]

Do you have [cmd=]sysctl net.inet.ip.fw.default_to_accept[/cmd]? It looks like a tunable sysctl.

Yes, i've can manupulate this parms through /boot/loader.conf when i have custom kernel with DEFAULT_TO_ACCEPT options.

But my problem - this oid is not produce by default (generic) ipfw.ko (who make without IPFIREWALL_DEFAULT_TO_ACCEPT)

IMHO, this oid must be present in both ipfw.ko (with/without IPFIREWALL_DEFAULT_TO_ACCEPT) for tunable during boot.

7.2-RELEASE-p2 amd64/i386:
strings /boot/GENERIC/ipfw.ko |grep default_to_accept

/nothing/

Its make no possible boot GENERIC kernel with 65535 rule as pass ip from any to any.

 

[richardpl]

Perhaps you need to specify it via sysctl.conf instead?
Are you really sure that net.inet.ip.fw do not exist with ipfw.ko loaded?

 

[Ole]

Perhaps you need to specify it via sysctl.conf instead?
Are you really sure that net.inet.ip.fw do not exist with ipfw.ko loaded?

Via sysctl this oid read-only. For full confidence I have downloaded "clean" ISO ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/ISO-IMAGES/7.2/7.2-RELEASE-i386-disc1.iso and setup new machine.

Has registered in loader.conf:

ipfw_load = "YES"

But after system loading
net.inet.ip.fw.default_to_accept - unknown oid.

 

[danger@]

I'm not sure about the answer to your question, but you may want to work-around it with firewall_type="open".

 

[Ole]

Yes, but its not save me when i make ipfw flush on remote machine without KVM/iLO (yes, i've know "pseudo"-safe method for reloading fw rule...its other questions)
I only wished to clarify - absence OID without appropriate option IPFIREWALL_DEFAULT_TO_ACCEPT - it is an error in a code or feature. If the second - that presence in one case and absence in other - is senseless enough. Thanks