178344Sobrien#!/bin/sh 278344Sobrien# 398184Sgordon# $FreeBSD$ 478344Sobrien# 578344Sobrien 678344Sobrien# PROVIDE: ipfilter 7168531Sdes# REQUIRE: FILESYSTEMS 8136224Smtm# KEYWORD: nojail 978344Sobrien 1078344Sobrien. /etc/rc.subr 1178344Sobrien 1278344Sobrienname="ipfilter" 13231653Sdougbrcvar="ipfilter_enable" 1498184Sgordonload_rc_config $name 15124618Smtmstop_precmd="test -f ${ipfilter_rules} -o -f ${ipv6_ipfilter_rules}" 1698184Sgordon 17165683Syarstart_precmd="$stop_precmd" 1878344Sobrienstart_cmd="ipfilter_start" 1978344Sobrienstop_cmd="ipfilter_stop" 2078344Sobrienreload_precmd="$stop_precmd" 2178344Sobrienreload_cmd="ipfilter_reload" 2298184Sgordonresync_precmd="$stop_precmd" 2398184Sgordonresync_cmd="ipfilter_resync" 2478344Sobrienstatus_precmd="$stop_precmd" 2578344Sobrienstatus_cmd="ipfilter_status" 26222007Shrsextra_commands="reload resync" 27165683Syarrequired_modules="ipl:ipfilter" 2878344Sobrien 2978344Sobrienipfilter_start() 3078344Sobrien{ 3178344Sobrien echo "Enabling ipfilter." 32147808Sjkim if [ `sysctl -n net.inet.ipf.fr_running` -le 0 ]; then 33124618Smtm ${ipfilter_program:-/sbin/ipf} -E 34124618Smtm fi 35124618Smtm ${ipfilter_program:-/sbin/ipf} -Fa 36124618Smtm if [ -r "${ipfilter_rules}" ]; then 37124618Smtm ${ipfilter_program:-/sbin/ipf} \ 38124618Smtm -f "${ipfilter_rules}" ${ipfilter_flags} 39124618Smtm fi 40124618Smtm ${ipfilter_program:-/sbin/ipf} -6 -Fa 41124618Smtm if [ -r "${ipv6_ipfilter_rules}" ]; then 42124618Smtm ${ipfilter_program:-/sbin/ipf} -6 \ 43124618Smtm -f "${ipv6_ipfilter_rules}" ${ipfilter_flags} 44124618Smtm fi 4578344Sobrien} 4678344Sobrien 4778344Sobrienipfilter_stop() 4878344Sobrien{ 49120515Smux # XXX - The ipf -D command is not effective for 'lkm's 50120515Smux if [ `sysctl -n net.inet.ipf.fr_running` -eq 1 ]; then 51124618Smtm echo "Saving firewall state tables" 52124618Smtm ${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags} 53124618Smtm echo "Disabling ipfilter." 54124618Smtm ${ipfilter_program:-/sbin/ipf} -D 55120515Smux fi 5678344Sobrien} 5778344Sobrien 5878344Sobrienipfilter_reload() 5978344Sobrien{ 6078344Sobrien echo "Reloading ipfilter rules." 6178344Sobrien 62124618Smtm ${ipfilter_program:-/sbin/ipf} -I -Fa 63124618Smtm if [ -r "${ipfilter_rules}" ]; then 64124618Smtm ${ipfilter_program:-/sbin/ipf} -I \ 65124618Smtm -f "${ipfilter_rules}" ${ipfilter_flags} 66164175Sceri if [ $? -ne 0 ]; then 67164175Sceri err 1 'Load of rules into alternate set failed; aborting reload' 68164175Sceri fi 69124618Smtm fi 70124618Smtm ${ipfilter_program:-/sbin/ipf} -I -6 -Fa 71124618Smtm if [ -r "${ipv6_ipfilter_rules}" ]; then 72124618Smtm ${ipfilter_program:-/sbin/ipf} -I -6 \ 73124618Smtm -f "${ipv6_ipfilter_rules}" ${ipfilter_flags} 74164175Sceri if [ $? -ne 0 ]; then 75164175Sceri err 1 'Load of IPv6 rules into alternate set failed; aborting reload' 76164175Sceri fi 77124618Smtm fi 78124618Smtm ${ipfilter_program:-/sbin/ipf} -s 7998184Sgordon 8078344Sobrien} 8178344Sobrien 8298184Sgordonipfilter_resync() 8398184Sgordon{ 8498184Sgordon ${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} 8598184Sgordon} 8698184Sgordon 8778344Sobrienipfilter_status() 8878344Sobrien{ 8998184Sgordon ${ipfilter_program:-/sbin/ipf} -V 9078344Sobrien} 9178344Sobrien 9278344Sobrienrun_rc_command "$1" 93