ipfilter revision 111913 
1#!/bin/sh
2#
3# $NetBSD: ipfilter,v 1.10 2001/02/28 17:03:50 lukem Exp $
4# $FreeBSD: head/etc/rc.d/ipfilter 111913 2003-03-05 17:16:22Z ume $
5#
6
7# PROVIDE: ipfilter
8# REQUIRE: root beforenetlkm mountcritlocal tty
9# KEYWORD: FreeBSD NetBSD
10
11. /etc/rc.subr
12
13name="ipfilter"
14rcvar=`set_rcvar`
15load_rc_config $name
16
17case ${OSTYPE} in
18FreeBSD)
19	stop_precmd="test -f ${ipfilter_rules} -o -f ${ipv6_ipfilter_rules}"
20	;;
21NetBSD)
22	stop_precmd="test -f /etc/ipf.conf -o -f /etc/ipf6.conf"
23	;;
24esac
25
26start_precmd="ipfilter_prestart"
27start_cmd="ipfilter_start"
28stop_cmd="ipfilter_stop"
29reload_precmd="$stop_precmd"
30reload_cmd="ipfilter_reload"
31resync_precmd="$stop_precmd"
32resync_cmd="ipfilter_resync"
33status_precmd="$stop_precmd"
34status_cmd="ipfilter_status"
35extra_commands="reload resync status"
36
37ipfilter_prestart()
38{
39case ${OSTYPE} in
40FreeBSD)
41	# load ipfilter kernel module if needed
42	if ! sysctl net.inet.ipf.fr_pass > /dev/null 2>&1; then
43		if kldload ipl; then
44			echo 'IP-filter module loaded.'
45		else
46			warn 'IP-filter module failed to load.'
47			return 1
48		fi
49	fi
50
51	# check for ipfilter rules
52	if [ ! -r "${ipfilter_rules}" ] && [ ! -r "${ipv6_ipfilter_rules}" ]
53	then
54		warn 'IP-filter: NO IPF RULES'
55		return 1
56	fi
57	;;
58NetBSD)
59	if [ ! -f /etc/ipf.conf ] && [ ! -f /etc/ipf6.conf ]; then
60		warn "/etc/ipf*.conf not readable; ipfilter start aborted."
61			#
62			# If booting directly to multiuser, send SIGTERM to
63			# the parent (/etc/rc) to abort the boot
64			#
65		if [ "$autoboot" = yes ]; then
66			echo "ERROR: ABORTING BOOT (sending SIGTERM to parent)!"
67			kill -TERM $$
68			exit 1
69		fi
70		return 1
71	fi
72	;;
73esac
74	return 0
75}
76
77ipfilter_start()
78{
79	echo "Enabling ipfilter."
80	case ${OSTYPE} in
81	FreeBSD)
82		${ipfilter_program:-/sbin/ipf} -Fa
83		if [ -r "${ipfilter_rules}" ]; then
84			${ipfilter_program:-/sbin/ipf} \
85			    -f "${ipfilter_rules}" ${ipfilter_flags}
86		fi
87		${ipfilter_program:-/sbin/ipf} -6 -Fa
88		if [ -r "${ipv6_ipfilter_rules}" ]; then
89			${ipfilter_program:-/sbin/ipf} -6 \
90			    -f "${ipv6_ipfilter_rules}" ${ipfilter_flags}
91		fi
92		;;
93	NetBSD)
94		/sbin/ipf -E -Fa
95		if [ -f /etc/ipf.conf ]; then
96			/sbin/ipf -f /etc/ipf.conf
97		fi
98		if [ -f /etc/ipf6.conf ]; then
99			/sbin/ipf -6 -f /etc/ipf6.conf
100		fi
101		;;
102	esac
103}
104
105ipfilter_stop()
106{
107	case ${OSTYPE} in
108	FreeBSD)
109		echo "Saving firewall state tables"
110		${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags}
111		;;
112	NetBSD)
113		;;
114	esac
115	# XXX - The following command is not effective for 'lkm's
116	echo "Disabling ipfilter."
117	/sbin/ipf -D
118}
119
120ipfilter_reload()
121{
122	echo "Reloading ipfilter rules."
123
124	case ${OSTYPE} in
125	FreeBSD)
126		${ipfilter_program:-/sbin/ipf} -I -Fa
127		if [ -r "${ipfilter_rules}" ]; then
128			${ipfilter_program:-/sbin/ipf} -I \
129			    -f "${ipfilter_rules}" ${ipfilter_flags}
130		fi
131		${ipfilter_program:-/sbin/ipf} -I -6 -Fa
132		if [ -r "${ipv6_ipfilter_rules}" ]; then
133			${ipfilter_program:-/sbin/ipf} -I -6 \
134			    -f "${ipv6_ipfilter_rules}" ${ipfilter_flags}
135		fi
136		;;
137	NetBSD)
138		/sbin/ipf -I -Fa
139		if [ -f /etc/ipf.conf ] && ! /sbin/ipf -I -f /etc/ipf.conf; then
140			err 1 "reload of ipf.conf failed; not swapping to" \
141			    " new ruleset."
142		fi
143		if [ -f /etc/ipf6.conf ] && \
144		    ! /sbin/ipf -I -6 -f /etc/ipf6.conf; then
145			err 1 "reload of ipf6.conf failed; not swapping to" \
146			    " new ruleset."
147		fi
148		/sbin/ipf -s
149		;;
150	esac
151
152}
153
154ipfilter_resync()
155{
156	case ${OSTYPE} in
157	FreeBSD)
158		# Don't resync if ipfilter is not loaded
159		[ sysctl net.inet.ipf.fr_pass > /dev/null 2>&1 ] && return
160		;;
161	esac
162	${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags}
163}
164
165ipfilter_status()
166{
167	${ipfilter_program:-/sbin/ipf} -V
168}
169
170run_rc_command "$1"
171