service/ipfw: Silence warning on restart

Once the ipfw0 interface has been created, ifconfig(8) create will
throw a warning: "ifconfig: create: bad value" when trying to create
it again.

PR: 241013
Submitted by: Jose Luis Duran
Approved by: kp
Differential Revision: https://reviews.freebsd.org/D30083

(cherry picked from commit 5c4fe2ac81a5e05062266d684fb53b9faefd0d38)

Git Hash: 370c8a1f784c62d0cf28aa1202a0575add1b3559
Git Author: donner@FreeBSD.org

Style fix for /etc/rc.d/ipfw: correct bad identation after r359701.

MFC r356943,356944: Correct "service ipfw status" for INET6-only systems.

MFC r345450:
Add ability to automatically load ipfw_nat64, ipfw_nptv6 and ipfw_pmod

modules by declaring corresponding variables in rc.conf. Also document
them in rc.conf(5).

Submitted by: Dries Michiels
Differential Revision: https://reviews.freebsd.org/D19673

MFC r345985:
Add firewall_[nat64|nptv6|pmod]_enable variables to /etc/defaults/rc.conf

MFC r329817:

The firewall_type is ignored if not set in rc.conf or rc.conf.local,
after r190575 there is an option to call rc.firewall with the firewall_type
passed in as an argument.

Submitted by: David P. Discher <dpd@dpdtech.com>
Sponsored by: iXsystems Inc.
Differential Revision: https://reviews.freebsd.org/D14286

MFC r320943-r320944, r321008, r321072, r321128

r320943:
Add ipfw_status command to etc/rc.d/ipfw

This is helpful when using service/conf management tools.

Sonsored-By: Gandi.net

r320944:
Add an rc.d script to setup a netflow export via ng_netflow
The default is to export netflow data on localhost on the netflow port.
ngtee is used to have the lowest overhead possible.
The ipfw ng hook is the netflow port (it can only be numeric)
Default is netflow version 5.

Sponsored-By: Gandi.net
Reviewed by: bapt (earlier version), olivier (earlier version)

r321008:
etc/rc.d: Only install ipfw_netflow is MK_IPFW and MK_NETGRAPH is defined

While here only install ipfw rc script if MK_IPFW is defined.

Reported by: ngie

r321072:
ipfw_netflow: add +ipfw_netflow_enable="NO" to defaults/rc.conf and document
usage in rc.conf(5)

Reported by: markj
Sponsored by: Gandi.net

r321128:
ipfw_netflow: Add support for FIB

If ipfw_netflow_fib, the ipfw rule will only match packets in that FIB.

While here correct some value in rc.conf(5) to be int and not str.

Sponsored by: Gandi.net

MFC 317729:

Silence sysctl in startup scripts.

This makes 'stop' behave consistently with 'start' in the script.
Also use $SYSCTL instead of sysctl for consistency within that script.

Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle.
Prune svn:mergeinfo from the new branch, as nothing has been merged
here.

Additional commits post-branch will follow.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

- Add descriptions to most of the rc scripts. Those are mostly taken from their
daemon's manpage and probably improved.
- Consistently use "filesystem" not "file system".

Approved by: bapt, brueffer
Differential Revision: D452

Refine the "nojail" rc keyword, adding "nojailvnet" for files that don't
apply to most jails but do apply to vnet jails. This includes adding
a new sysctl "security.jail.vnet" to identify vnet jails.

PR: conf/149050
Submitted by: mdodd
MFC after: 3 days

Load ipdivert.ko when natd_enable=YES.

PR: conf/167566

Make ipfw0 logging pseudo-interface clonable. It can be created automatically
by $firewall_logif rc.conf(5) variable at boot time or manually by ifconfig(8)
after a boot.

Discussed on: freebsd-ipfw@

Replace ${SYSCTL_W} with ${SYSCTL} in rc.d scripts, as they are identical.
This is a further clean up after r202988.

SYSCTL_W is still initialized in rc.subr as some ports may still use it.

Remove trailing white space. No functional changes.

Introduce new rc.conf variable firewall_coscripts. It can be used to
specify list of executables and/or rc scripts that should be executed
after firewall starts/stops.

Submitted by: Yuri Kurenkov <y dot kurenkov at init dot ru>
Reviewed by: rhodes, rc@
MFC after: 1 week

Unify rc.firewall and rc.firewall6, and obsolete rc.firewall6
and rc.d/ip6fw.

Reviewed by: dougb, jhb
MFC after: 1 month

Reverse the effect of r193198 for pf and ipfw which will once again
allow them to start after netif. There were too many problems reported
with this change in the short period of time that it lived in HEAD, and
we are too late in the release cycle to properly shake it out.

IMO the issue of having the firewalls up before the network is still a
valid concern, particularly for pf whose default state is wide open.
However properly solving this issue is going to take some investment
on the part of the people who actually use those tools.

This is not a strict reversion of all the changes for r193198 since it
also included some simplification of the BEFORE/REQUIRE logic which is
still valid for ipfilter and ip6fw.

Make the pf and ipfw firewalls start before netif, just like ipfilter
already does. This eliminates a logical inconsistency, and a small
window where the system is open after the network comes up.

- Add ipfw_nat to the list of required modules if "firewall_nat_enable"
is set and "natd_enable" is NOT set;

- Accept and pass firewall type to the external firewall script.

Submitted by: Yuri Kurenkov < y -dot- kurenkov -at- init -dot- ru >
MFC after: 3 days
No response from: freebsd-rc

As previously discussed, add the svn:executable property to all scripts

No need to display the result of enabling the ipfw sysctl if it's
successfull. Issue a warning if it fails, however.

Add a dummynet_enable knob to go with firewall_enable. If this knob
is enabled dummynet(4) is added to the list of required modules.

Discussed on: #freebsd-bugbusters (rwatson, trhodes)
PR: conf/79196
MFC after: 1 week

Generally, anything that runs rc.d scripts internally should
start using the quiet prefix (i.e. quietstart, quietstop, etc...).

Instead of directly sourcing the firewall script, run it in a separate shell.
If the firewall script is sourced directly from the script, then any
exit statements in it will also terminate the rc.d script prematurely.

PR: conf/78762
MFC-After: 2 weeks

Use $required_modules wherever suitable. Use load_kld() in special
cases. So we get rid of quite a few lines of duplicated code.

De-uglify messages from the ipfw script.

Use 'ipfw list' instead of 'ipfw l', since it's deprecated (and warning is
printed on system startup).

Approved by: cognet (mentor)
MFC after: 3 days

Transforming "ppp-user" into just "ppp", step 1:
The rcorder(8) condition PROVIDE'd by the script
and REQUIRE'd by the others becomes "ppp".

The ultimate goal of the transformation is to reduce
confusion resulting from the fact that $name has been
"ppp" already.

Discussed with: pjd, -rc

Start natd(8) before loading firewall rules, to give the
ipdivert.ko module a chance to load.

Remove the requirement for the FreeBSD keyword as it no longer
makes any sense.

Discussed with: dougb, brooks
MFC after: 3 days

Protect som cross-script invocations by checks to see that the target
script exists. This allows pruning of rc.d scripts without getting
too many ugly boottime error message

Add separate script for natd. This fixes race condition with "ipfw restart"
(when new natd is started before old natd died) and allows to manage natd
without touching ipfw.

natd should probably be killed with SIGKILL when stopping natd.

Mark scripts as not usable inside a jail by adding keyword 'nojail'.

Some suggestions from: rwatson, Ruben de Groot <mail25@bzerk.org>

Add -dynamic to natd if dhcp is used for the natd interface.
Kill natd in stop().

Reviewed by: mtm

Make the 'restart' command work. Otherwise, it would successfully
stop ipfw, but not enable it again.

Aesthetic changes
o Use positve logic (instead of negative)
o create a 'stop' function, rather than putting the
commands in the stop_cmd variable.

Submitted by: des
Approved by: markm (mentor) (implicit)

Finish merging in rev. 1.124 of rc.network, so that natd can be used
withough the $natd_interface having to be explicitly specified on the
command line.

Approved by: markm (mentor)
Submitted by: Aaron D. Gifford <agifford@infowest.com>
PR: conf/47024

MFC: upon re approval

Fix style bugs:
* Space -> tabs conversion.
* Removed blanks before semicolon in "if ... ; then".
* Proper indentation of misindented lines.
* Put a full stop after some comments.
* Removed whitespace at end of line.

Approved by: silence from gordon

Merge in all the changes that Mike Makonnen has been maintaining for a
while. This is only the script pieces, the glue for the build comes next.

Submitted by: Mike Makonnen <makonnen@pacbell.net>
Reviewed by: silence on -current and -hackers
Prodded by: rwatson