I tried to make /etc/init.d/iptables run before net is started for security reasons (see bug #27087). As suggested by Michael C. Ferguson there I changed the depend() function at the top of the script to look like this: depend() { before net use logger } And it didn't work, it still runs after my network interfaces are started. I've run /sbin/depscan.sh by hand just to try to persuade it to do the right thing, and actually it probably does because the contents of /var/init.d/deptree look fine: --snip snip-- depinfo_net() { export rc_name="net" export rc_ineed= export rc_needsme="dhcp exim named netmount sshd" export rc_iuse= export rc_usesme="rsyncd" export rc_ibefore= export rc_iafter="iptables" export rc_broken= export rc_parallel= } --snip snip-- Also reported by MCF over in the other bug thread is that the depend before feature does not seem to also apply in reverse at shutdown time, which it almost certainly should. I've reported this as major because I think the Gentoo init system with its dependencies rather than damned runlevels is a major feature! Hope that's OK. Generally guys, thanks a lot and keep up the good work. Reproducible: Always Steps to Reproduce: 1.Cut'n'paste per above 2.Reboot 3.Watch iptables start after network interfaces are up. Expected Results: Start iptables before net; in general, start anything before anything else. # emerge --info Portage 2.0.49-r15 (default-x86-1.4, gcc-3.2.3, glibc-2.3.2-r1, 2.4.23_pre7-gss) ================================================================= System uname: 2.4.23_pre7-gss i586 AMD-K6(tm) 3D processor Gentoo Base System version 1.4.3.10 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-march=k6-2 -O3 -pipe -fomit-frame-pointer -falign-functions -fforce-addr" CHOST="i586-pc-linux-gnu" COMPILER="gcc3" CONFIG_PROTECT="/etc /var/qmail/control /usr/share/config /usr/kde/2/share/config /usr/kde/3/share/config /var/bind" CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d" CXXFLAGS="-march=k6-2 -O3 -pipe -fomit-frame-pointer -falign-functions -fforce-addr" DISTDIR="/usr/portage/distfiles" FEATURES="sandbox ccache autoaddcvs" GENTOO_MIRRORS="http://ftp.gentoo.skynet.be/pub/gentoo/ http://ftp.easynet.nl/mirror/gentoo/ http://gentoo.oregonstate.edu http://www.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 oss apm crypt cups encode foomaticdb libg++ mad mikmod mpeg ncurses oggvorbis pdflib quicktime spell svga truetype xml2 xmms X emacs mmx 3dnow alsa gd gif jpeg tiff png avi imlib gtk kde -gnome qt motif opengl java jikes xv slang readline gpm berkdb gdbm tcpd pam libwww ssl nls arts perl python sdl usb xml zlib samba"
Below changes to /lib/rcscripts/sh/rc-services.sh should fix this: ---------------- Index: sbin/rc-services.sh =================================================================== RCS file: /home/cvsroot/gentoo-src/rc-scripts/sbin/rc-services.sh,v retrieving revision 1.12 diff -u -r1.12 rc-services.sh --- sbin/rc-services.sh 26 Oct 2003 20:10:45 -0000 1.12 +++ sbin/rc-services.sh 26 Oct 2003 21:24:56 -0000 @@ -1,7 +1,7 @@ # Copyright 1999-2003 Gentoo Technologies, Inc. # Distributed under the terms of the GNU General Public License v2 # Author: Martin Schlemmer <azarah@gentoo.org> -# $Header: /home/cvsroot/gentoo-src/rc-scripts/sbin/rc-services.sh,v 1.12 2003/10/26 20:10:45 azarah Exp $ +# $Header: /home/cvsroot/gentoo-src/rc-scripts/sbin/rc-services.sh,v 1.10 2003/08/12 14:52:51 azarah Exp $ # RC Dependency and misc service functions @@ -537,7 +537,8 @@ for x in $(iuse "$1") do if [ -e "/etc/runlevels/${BOOTLEVEL}/${x}" -o \ - -e "/etc/runlevels/${mylevel}/${x}" ] + -e "/etc/runlevels/${mylevel}/${x}" -o \ + ${x} = "net" ] then echo "${x}" fi @@ -557,7 +558,8 @@ for x in $(iafter "$1") do if [ -e "/etc/runlevels/${BOOTLEVEL}/${x}" -o \ - -e "/etc/runlevels/${mylevel}/${x}" ] + -e "/etc/runlevels/${mylevel}/${x}" -o \ + ${x} = "net" ] then echo "${x}" fi
*** Bug 29231 has been marked as a duplicate of this bug. ***
No, I'm afraid that doesn't help. (I only just tried it today; I totally hosed my box before you posted this, and only got around to rebuilding it this weekend.) Same as before, firewall starts after eth0 etc are up. It occurred to me the problem may be partly because net.lo is already up from runlevel boot while net.eth0 and net.ppp0 aren't started in boot, only in default. I changed my iptables.init to be "before net.eth0" and the right thing happens, but naturally it would (because the rc system is mostly fabulously wonderful). Ordering was correct on shutdown too. My system is now doing the right thing but perhaps semantically for the wrong reason, so I dare say it's a pretty low priority. Is there anything I can do?
Could you please try baselayout-1.8.6.12 ?
I ran `ACCEPT_KEYWORDS="~x86" emerge baselayout`. No, I'm afraid that doesn't help either :-( Same behaviour as before. Re the new baselayout: I now get "The setfont executable was not found". I noticed the updates to /etc/init.d/consolefont removed a reference to looking for /usr/bin/setfont so I guess that's what it was; I wasn't ready for `ACCEPT_KEYWORDS="~x86" emerge -u baselayout` to update as much as it wanted, so I've dropped in a symlink rather than fill up on masked packages. Rather OT: I don't think portage has an equivalent to `rpm -qf /usr/bin/setfont` (i.e. tell me which package a file belongs to) - correct me if I'm wrong - so please could you tell me what it belongs (belonged?) to?
Bug still present, both on that box and (in case it made any difference) on another box with a 2004.1 install; any progress?
test 1.11.4 ?
Pardon? I mean, test what?
emerge baselayout-1.11.4 and see if the prob still exists
Ah, I see - I didn't get it because I wasn't expecting such a jump in version number. Right, I've done that. Yes, the problem still exists; iptables is still starting after eth0. "before net" is now the standard for iptables, and has been since April this year (iptables-1.2.9-r1) - see comment 37 of bug #27087 - so I'm surely not the only person seeing this.
Could the setting for RC_NET_STRICT_CHECKING have some influence on this behavior? I would expect that if strict checking is set to "lo" and there are new scripts in current runlevel that provide net, then those should be considered as well, and fallback to lo should only happend if the other net-scripts fail. I currently have inappropriate shutdown-sequence, nfsmount stopping only AFTER net though it should really happen before.
This should be fixed in baselayout-1.12.0
