ipfilter revision 164175
1#!/bin/sh 2# 3# $NetBSD: ipfilter,v 1.10 2001/02/28 17:03:50 lukem Exp $ 4# $FreeBSD: head/etc/rc.d/ipfilter 164175 2006-11-11 10:48:34Z ceri $ 5# 6 7# PROVIDE: ipfilter 8# REQUIRE: root mountcritlocal 9# BEFORE: netif 10# KEYWORD: nojail 11 12. /etc/rc.subr 13 14name="ipfilter" 15rcvar=`set_rcvar` 16load_rc_config $name 17stop_precmd="test -f ${ipfilter_rules} -o -f ${ipv6_ipfilter_rules}" 18 19start_precmd="ipfilter_prestart" 20start_cmd="ipfilter_start" 21stop_cmd="ipfilter_stop" 22reload_precmd="$stop_precmd" 23reload_cmd="ipfilter_reload" 24resync_precmd="$stop_precmd" 25resync_cmd="ipfilter_resync" 26status_precmd="$stop_precmd" 27status_cmd="ipfilter_status" 28extra_commands="reload resync status" 29 30ipfilter_loaded() 31{ 32 if ! kldstat -v | grep "ipfilter$" > /dev/null 2>&1; then 33 return 1 34 else 35 return 0 36 fi 37} 38 39ipfilter_prestart() 40{ 41 # load ipfilter kernel module if needed 42 if ! ipfilter_loaded; then 43 if kldload ipl; then 44 info 'IP-filter module loaded.' 45 else 46 err 1 'IP-filter module failed to load.' 47 fi 48 fi 49 50 # check for ipfilter rules 51 if [ ! -r "${ipfilter_rules}" ] && [ ! -r "${ipv6_ipfilter_rules}" ] 52 then 53 warn 'IP-filter: NO IPF RULES' 54 return 1 55 fi 56 return 0 57} 58 59ipfilter_start() 60{ 61 echo "Enabling ipfilter." 62 if [ `sysctl -n net.inet.ipf.fr_running` -le 0 ]; then 63 ${ipfilter_program:-/sbin/ipf} -E 64 fi 65 ${ipfilter_program:-/sbin/ipf} -Fa 66 if [ -r "${ipfilter_rules}" ]; then 67 ${ipfilter_program:-/sbin/ipf} \ 68 -f "${ipfilter_rules}" ${ipfilter_flags} 69 fi 70 ${ipfilter_program:-/sbin/ipf} -6 -Fa 71 if [ -r "${ipv6_ipfilter_rules}" ]; then 72 ${ipfilter_program:-/sbin/ipf} -6 \ 73 -f "${ipv6_ipfilter_rules}" ${ipfilter_flags} 74 fi 75} 76 77ipfilter_stop() 78{ 79 # XXX - The ipf -D command is not effective for 'lkm's 80 if [ `sysctl -n net.inet.ipf.fr_running` -eq 1 ]; then 81 echo "Saving firewall state tables" 82 ${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags} 83 echo "Disabling ipfilter." 84 ${ipfilter_program:-/sbin/ipf} -D 85 fi 86} 87 88ipfilter_reload() 89{ 90 echo "Reloading ipfilter rules." 91 92 ${ipfilter_program:-/sbin/ipf} -I -Fa 93 if [ -r "${ipfilter_rules}" ]; then 94 ${ipfilter_program:-/sbin/ipf} -I \ 95 -f "${ipfilter_rules}" ${ipfilter_flags} 96 if [ $? -ne 0 ]; then 97 err 1 'Load of rules into alternate set failed; aborting reload' 98 fi 99 fi 100 ${ipfilter_program:-/sbin/ipf} -I -6 -Fa 101 if [ -r "${ipv6_ipfilter_rules}" ]; then 102 ${ipfilter_program:-/sbin/ipf} -I -6 \ 103 -f "${ipv6_ipfilter_rules}" ${ipfilter_flags} 104 if [ $? -ne 0 ]; then 105 err 1 'Load of IPv6 rules into alternate set failed; aborting reload' 106 fi 107 fi 108 ${ipfilter_program:-/sbin/ipf} -s 109 110} 111 112ipfilter_resync() 113{ 114 # Don't resync if ipfilter is not loaded 115 if ! ipfilter_loaded; then 116 return 117 fi 118 ${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} 119} 120 121ipfilter_status() 122{ 123 ${ipfilter_program:-/sbin/ipf} -V 124} 125 126run_rc_command "$1" 127