Resolves #2529. Load the ipfw module before any commands are executed on CP. Also move the filter_load_ipfw() to captiveportal.inc:captiveportal_load_modules() since no other place uses ipfw(4)

5 files changed, 32 insertions, 45 deletions

diff --git a/etc/inc/captiveportal.inc b/etc/inc/captiveportal.inc
index 5112e98..dfe6bab 100644
--- a/etc/inc/captiveportal.inc
+++ b/etc/inc/captiveportal.inc
@@ -36,7 +36,7 @@
 	added rules which may have been created by other per-user code (index.php, etc).
 	These changes are (c) 2004 Keycom PLC.
 	
-	pfSense_BUILDER_BINARIES:	/sbin/ipfw	/sbin/sysctl	/sbin/kldunload
+	pfSense_BUILDER_BINARIES:	/sbin/ipfw	/sbin/sysctl
 	pfSense_BUILDER_BINARIES:	/usr/local/sbin/lighttpd	/usr/local/bin/minicron /sbin/pfctl
 	pfSense_BUILDER_BINARIES:	/bin/hostname	/bin/cp 
 	pfSense_MODULE: captiveportal
@@ -204,10 +204,37 @@ EOD;
 	return $htmltext;
 }
 
+function captiveportal_load_modules() {
+        global $config;
+
+	mute_kernel_msgs();
+        if (!is_module_loaded("ipfw.ko")) {
+                mwexec("/sbin/kldload ipfw");
+                /* make sure ipfw is not on pfil hooks */
+                mwexec("/sbin/sysctl net.inet.ip.pfil.inbound=\"pf\" net.inet6.ip6.pfil.inbound=\"pf\"" .
+                        " net.inet.ip.pfil.outbound=\"pf\" net.inet6.ip6.pfil.outbound=\"pf\"");
+        }
+	/* Always load dummynet now that even allowed ip and mac passthrough use it. */
+	if (!is_module_loaded("dummynet.ko")) {
+		mwexec("/sbin/kldload dummynet");
+		mwexec("/sbin/sysctl net.inet.ip.dummynet.io_fast=1 net.inet.ip.dummynet.hash_size=256");
+	}
+	unmute_kernel_msgs();
+
+        /* XXX: This are not used in pfSense, if needed can be tuned 
+        if($config['system']['maximumstates'] <> "" && is_numeric($config['system']['maximumstates'])) {
+                mwexec("sysctl net.inet.ip.fw.dyn_max={$config['system']['maximumstates']}");
+        } else {
+                mwexec("sysctl net.inet.ip.fw.dyn_max=10000");
+        }
+	*/
+}
+
 function captiveportal_configure() {
 	global $config, $cpzone;
 
 	if (is_array($config['captiveportal'])) {
+		captiveportal_load_modules();
 		mwexec("/sbin/sysctl net.link.ether.ipfw=1");
 		foreach ($config['captiveportal'] as $cpkey => $cp) {
 			$cpzone = $cpkey;
@@ -491,6 +518,8 @@ function captiveportal_init_rules($reinit = false) {
 	if (!isset($config['captiveportal'][$cpzone]['enable']))
 		return;
 
+	captiveportal_load_modules();
+
 	$cpips = array();
 	$ifaces = get_configured_interface_list();
 	$cpinterfaces = explode(",", $config['captiveportal'][$cpzone]['interface']);
@@ -530,15 +559,6 @@ function captiveportal_init_rules($reinit = false) {
 	/* init dummynet/ipfw rules number database */
 	captiveportal_init_ipfw_ruleno();
 
-	/* make sure ipfw is loaded */
-	if (!is_module_loaded("ipfw.ko"))
-		filter_load_ipfw();
-	/* Always load dummynet now that even allowed ip and mac passthrough use it. */
-	if (!is_module_loaded("dummynet.ko")) {
-		mwexec("/sbin/kldload dummynet");
-		mwexec("/sbin/sysctl net.inet.ip.dummynet.io_fast=1 net.inet.ip.dummynet.hash_size=256");
-	}
-
 	$cprules =	"add 65291 set 1 allow pfsync from any to any\n";
 	$cprules .= "add 65292 set 1 allow carp from any to any\n";
 
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index 09d689c..bfd5b17 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -83,31 +83,6 @@ function flowtable_configure() {
 	}
 }
 
-function filter_load_ipfw() {
-	global $config;
-
-	if(!is_module_loaded("ipfw.ko")) {
-		mute_kernel_msgs();
-		mwexec("/sbin/kldload ipfw");
-		unmute_kernel_msgs();
-		/*
-		 * make sure ipfw is the first hook to make CP and schedules work
-		 * correctly on Multi-WAN.
-		 */
-		mwexec("/sbin/sysctl net.inet.ip.pfil.inbound=\"pf\" net.inet6.ip6.pfil.inbound=\"pf\"" .
-			" net.inet.ip.pfil.outbound=\"pf\" net.inet6.ip6.pfil.outbound=\"pf\"");
-	}
-
-	/* XXX: This are not used in pfSense, keep?! Set ipfw state limit */
-	if($config['system']['maximumstates'] <> "" && is_numeric($config['system']['maximumstates'])) {
-		/* Set ipfw states to user defined maximum states in Advanced menu. */
-		mwexec("sysctl net.inet.ip.fw.dyn_max={$config['system']['maximumstates']}");
-	} else {
-		/* Set to default 10,000 */
-		mwexec("sysctl net.inet.ip.fw.dyn_max=10000");
-	}
-}
-
 function filter_pflog_start($kill_first = false) {
 	global $config, $g;
 	if ($g['platform'] == 'jail')
diff --git a/etc/rc.bootup b/etc/rc.bootup
index 48fe740..b8bf0e3 100755
--- a/etc/rc.bootup
+++ b/etc/rc.bootup
@@ -440,4 +440,4 @@ led_normalize();
 
 conf_mount_ro();
 
-?>
\ No newline at end of file
+?>
diff --git a/usr/local/www/services_captiveportal_zones_edit.php b/usr/local/www/services_captiveportal_zones_edit.php
index 3c2d759..4367744 100644
--- a/usr/local/www/services_captiveportal_zones_edit.php
+++ b/usr/local/www/services_captiveportal_zones_edit.php
@@ -79,8 +79,7 @@ if ($_POST) {
 		write_config();
 
 		/* make sure ipfw is loaded */
-		if (!is_module_loaded("ipfw.ko"))
-			filter_load_ipfw();
+		captiveportal_load_modules();
 		mwexec("/usr/local/sbin/ipfw_context -a {$cpzone}", true);
 
 		header("Location: services_captiveportal.php?zone={$cpzone}");
diff --git a/usr/local/www/system_advanced_firewall.php b/usr/local/www/system_advanced_firewall.php
index 9fec26a..db0aaa4 100644
--- a/usr/local/www/system_advanced_firewall.php
+++ b/usr/local/www/system_advanced_firewall.php
@@ -173,13 +173,6 @@ if ($_POST) {
 	
 		write_config();
 
-		/* 
-		 * XXX: This is a kludge here but its the better place than on every filter reload.
-		 * NOTE: This is only for setting the ipfw state limits. 
-		 */
-		if ($_POST['maximumstates'] && is_numeric($_POST['maximumstates']) && is_module_loaded("ipfw.ko"))
-			filter_load_ipfw();
-			
 		$retval = 0;
 		$retval = filter_configure();
 		if(stristr($retval, "error") <> true)