ipfw: reload sysctl.conf variables if needed

Currently ipfw has multiple components that are not parts
of GENERIC kernel like dummynet etc. They can bring in important
sysctls if enabled with rc.conf(5) and loaded with ipfw startup script
by means of "required_modules" after initial consult
with /etc/sysctl.conf at boot time. Here is an example of one
increasing limit for dummynet hold queues that defaults to 100:

net.inet.ip.dummynet.pipe_slot_limit=1000

This makes it possible to use ipfw/dummynet rules such as:

ipfw pipe 1 config bw 50Mbit/s queue 1000

Such rule is rejected unless above sysctl is applied.
Another example is a group of net.inet.ip.alias.* sysctls
created after libalias.ko loaded as dependency of ipfw_nat.

This is not a problem if corresponding code compiled in custom kernel
so sysctls exist when sysctl.conf is read early or kernel modules
loaded with a loader. This change makes it work also for GENERIC
and modules loaded by means of rc.conf(5) settings.

(cherry picked from commit f5b5de1a3210234f3a6864c88a2d3e11ac2dbf04)

1 files changed, 14 insertions, 1 deletions

diff --git a/libexec/rc/rc.d/ipfw b/libexec/rc/rc.d/ipfw
index 50d95543023d..5d0bcc816560 100755
--- a/libexec/rc/rc.d/ipfw
+++ b/libexec/rc/rc.d/ipfw
@@ -47,7 +47,7 @@ ipfw_prestart()
 
 ipfw_start()
 {
-	local   _firewall_type
+	local   _firewall_type _module _sysctl_reload
 
 	if [ -n "${1}" ]; then
 		_firewall_type=$1
@@ -55,6 +55,19 @@ ipfw_start()
 		_firewall_type=${firewall_type}
 	fi
 
+	_sysctl_reload=no
+	for _module in ${required_modules}
+	do
+		if kldstat -qn ${_module}; then
+			_sysctl_reload=yes
+			break
+		fi
+	done
+
+	if [ ${_sysctl_reload} = yes ]; then
+		/etc/rc.d/sysctl reload
+	fi
+
 	# set the firewall rules script if none was specified
 	[ -z "${firewall_script}" ] && firewall_script=/etc/rc.firewall