ipfilter revision 114270
1#!/bin/sh 2# 3# $NetBSD: ipfilter,v 1.10 2001/02/28 17:03:50 lukem Exp $ 4# $FreeBSD: head/etc/rc.d/ipfilter 114270 2003-04-30 02:19:38Z mtm $ 5# 6 7# PROVIDE: ipfilter 8# REQUIRE: root beforenetlkm mountcritlocal tty ipmon 9# BEFORE: netif 10# KEYWORD: FreeBSD NetBSD 11 12. /etc/rc.subr 13 14name="ipfilter" 15rcvar=`set_rcvar` 16load_rc_config $name 17 18case ${OSTYPE} in 19FreeBSD) 20 stop_precmd="test -f ${ipfilter_rules} -o -f ${ipv6_ipfilter_rules}" 21 ;; 22NetBSD) 23 stop_precmd="test -f /etc/ipf.conf -o -f /etc/ipf6.conf" 24 ;; 25esac 26 27start_precmd="ipfilter_prestart" 28start_cmd="ipfilter_start" 29stop_cmd="ipfilter_stop" 30reload_precmd="$stop_precmd" 31reload_cmd="ipfilter_reload" 32resync_precmd="$stop_precmd" 33resync_cmd="ipfilter_resync" 34status_precmd="$stop_precmd" 35status_cmd="ipfilter_status" 36extra_commands="reload resync status" 37 38ipfilter_prestart() 39{ 40case ${OSTYPE} in 41FreeBSD) 42 # load ipfilter kernel module if needed 43 if ! sysctl net.inet.ipf.fr_pass > /dev/null 2>&1; then 44 if kldload ipl; then 45 echo 'IP-filter module loaded.' 46 else 47 err 1 'IP-filter module failed to load.' 48 fi 49 fi 50 51 # check for ipfilter rules 52 if [ ! -r "${ipfilter_rules}" ] && [ ! -r "${ipv6_ipfilter_rules}" ] 53 then 54 warn 'IP-filter: NO IPF RULES' 55 return 1 56 fi 57 ;; 58NetBSD) 59 if [ ! -f /etc/ipf.conf ] && [ ! -f /etc/ipf6.conf ]; then 60 warn "/etc/ipf*.conf not readable; ipfilter start aborted." 61 # 62 # If booting directly to multiuser, send SIGTERM to 63 # the parent (/etc/rc) to abort the boot 64 # 65 if [ "$autoboot" = yes ]; then 66 echo "ERROR: ABORTING BOOT (sending SIGTERM to parent)!" 67 kill -TERM $$ 68 exit 1 69 fi 70 return 1 71 fi 72 ;; 73esac 74 return 0 75} 76 77ipfilter_start() 78{ 79 echo "Enabling ipfilter." 80 case ${OSTYPE} in 81 FreeBSD) 82 ${ipfilter_program:-/sbin/ipf} -EFa 83 if [ -r "${ipfilter_rules}" ]; then 84 ${ipfilter_program:-/sbin/ipf} \ 85 -f "${ipfilter_rules}" ${ipfilter_flags} 86 fi 87 ${ipfilter_program:-/sbin/ipf} -6 -EFa 88 if [ -r "${ipv6_ipfilter_rules}" ]; then 89 ${ipfilter_program:-/sbin/ipf} -6 \ 90 -f "${ipv6_ipfilter_rules}" ${ipfilter_flags} 91 fi 92 ;; 93 NetBSD) 94 /sbin/ipf -E -Fa 95 if [ -f /etc/ipf.conf ]; then 96 /sbin/ipf -f /etc/ipf.conf 97 fi 98 if [ -f /etc/ipf6.conf ]; then 99 /sbin/ipf -6 -f /etc/ipf6.conf 100 fi 101 ;; 102 esac 103} 104 105ipfilter_stop() 106{ 107 case ${OSTYPE} in 108 FreeBSD) 109 echo "Saving firewall state tables" 110 ${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags} 111 ;; 112 NetBSD) 113 ;; 114 esac 115 # XXX - The following command is not effective for 'lkm's 116 echo "Disabling ipfilter." 117 /sbin/ipf -D 118} 119 120ipfilter_reload() 121{ 122 echo "Reloading ipfilter rules." 123 124 case ${OSTYPE} in 125 FreeBSD) 126 ${ipfilter_program:-/sbin/ipf} -I -Fa 127 if [ -r "${ipfilter_rules}" ]; then 128 ${ipfilter_program:-/sbin/ipf} -I \ 129 -f "${ipfilter_rules}" ${ipfilter_flags} 130 fi 131 ${ipfilter_program:-/sbin/ipf} -I -6 -Fa 132 if [ -r "${ipv6_ipfilter_rules}" ]; then 133 ${ipfilter_program:-/sbin/ipf} -I -6 \ 134 -f "${ipv6_ipfilter_rules}" ${ipfilter_flags} 135 fi 136 ${ipfilter_program:-/sbin/ipf} -s 137 ;; 138 NetBSD) 139 /sbin/ipf -I -Fa 140 if [ -f /etc/ipf.conf ] && ! /sbin/ipf -I -f /etc/ipf.conf; then 141 err 1 "reload of ipf.conf failed; not swapping to" \ 142 " new ruleset." 143 fi 144 if [ -f /etc/ipf6.conf ] && \ 145 ! /sbin/ipf -I -6 -f /etc/ipf6.conf; then 146 err 1 "reload of ipf6.conf failed; not swapping to" \ 147 " new ruleset." 148 fi 149 /sbin/ipf -s 150 ;; 151 esac 152 153} 154 155ipfilter_resync() 156{ 157 case ${OSTYPE} in 158 FreeBSD) 159 # Don't resync if ipfilter is not loaded 160 [ sysctl net.inet.ipf.fr_pass > /dev/null 2>&1 ] && return 161 ;; 162 esac 163 ${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} 164} 165 166ipfilter_status() 167{ 168 ${ipfilter_program:-/sbin/ipf} -V 169} 170 171run_rc_command "$1" 172