ipfilter revision 113959
178344Sobrien#!/bin/sh 278344Sobrien# 398184Sgordon# $NetBSD: ipfilter,v 1.10 2001/02/28 17:03:50 lukem Exp $ 498184Sgordon# $FreeBSD: head/etc/rc.d/ipfilter 113959 2003-04-24 08:20:47Z mtm $ 578344Sobrien# 678344Sobrien 778344Sobrien# PROVIDE: ipfilter 8113959Smtm# REQUIRE: root beforenetlkm mountcritlocal tty ipmon 9113959Smtm# BEFORE: netif 1098184Sgordon# KEYWORD: FreeBSD NetBSD 1178344Sobrien 1278344Sobrien. /etc/rc.subr 1378344Sobrien 1478344Sobrienname="ipfilter" 1598184Sgordonrcvar=`set_rcvar` 1698184Sgordonload_rc_config $name 1798184Sgordon 18103019Sgordoncase ${OSTYPE} in 1998184SgordonFreeBSD) 20106333Sume stop_precmd="test -f ${ipfilter_rules} -o -f ${ipv6_ipfilter_rules}" 2198184Sgordon ;; 2298184SgordonNetBSD) 2398184Sgordon stop_precmd="test -f /etc/ipf.conf -o -f /etc/ipf6.conf" 2498184Sgordon ;; 2598184Sgordonesac 2698184Sgordon 2778344Sobrienstart_precmd="ipfilter_prestart" 2878344Sobrienstart_cmd="ipfilter_start" 2978344Sobrienstop_cmd="ipfilter_stop" 3078344Sobrienreload_precmd="$stop_precmd" 3178344Sobrienreload_cmd="ipfilter_reload" 3298184Sgordonresync_precmd="$stop_precmd" 3398184Sgordonresync_cmd="ipfilter_resync" 3478344Sobrienstatus_precmd="$stop_precmd" 3578344Sobrienstatus_cmd="ipfilter_status" 3698184Sgordonextra_commands="reload resync status" 3778344Sobrien 3878344Sobrienipfilter_prestart() 3978344Sobrien{ 40103019Sgordoncase ${OSTYPE} in 4198184SgordonFreeBSD) 4298184Sgordon # load ipfilter kernel module if needed 4398184Sgordon if ! sysctl net.inet.ipf.fr_pass > /dev/null 2>&1; then 44104980Sschweikh if kldload ipl; then 4598184Sgordon echo 'IP-filter module loaded.' 4698184Sgordon else 47113959Smtm err 1 'IP-filter module failed to load.' 4898184Sgordon fi 4998184Sgordon fi 5098184Sgordon 5198184Sgordon # check for ipfilter rules 52106333Sume if [ ! -r "${ipfilter_rules}" ] && [ ! -r "${ipv6_ipfilter_rules}" ] 53106333Sume then 5498184Sgordon warn 'IP-filter: NO IPF RULES' 5598184Sgordon return 1 5698184Sgordon fi 5798184Sgordon ;; 5898184SgordonNetBSD) 5978344Sobrien if [ ! -f /etc/ipf.conf ] && [ ! -f /etc/ipf6.conf ]; then 6078344Sobrien warn "/etc/ipf*.conf not readable; ipfilter start aborted." 6178344Sobrien # 6278344Sobrien # If booting directly to multiuser, send SIGTERM to 6378344Sobrien # the parent (/etc/rc) to abort the boot 6478344Sobrien # 6578344Sobrien if [ "$autoboot" = yes ]; then 6678344Sobrien echo "ERROR: ABORTING BOOT (sending SIGTERM to parent)!" 6778344Sobrien kill -TERM $$ 6878344Sobrien exit 1 6978344Sobrien fi 7078344Sobrien return 1 7178344Sobrien fi 7298184Sgordon ;; 7398184Sgordonesac 7478344Sobrien return 0 7578344Sobrien} 7678344Sobrien 7778344Sobrienipfilter_start() 7878344Sobrien{ 7978344Sobrien echo "Enabling ipfilter." 80103019Sgordon case ${OSTYPE} in 8198184Sgordon FreeBSD) 82106333Sume ${ipfilter_program:-/sbin/ipf} -Fa 83106333Sume if [ -r "${ipfilter_rules}" ]; then 84106333Sume ${ipfilter_program:-/sbin/ipf} \ 85106333Sume -f "${ipfilter_rules}" ${ipfilter_flags} 86106333Sume fi 87111913Sume ${ipfilter_program:-/sbin/ipf} -6 -Fa 88106333Sume if [ -r "${ipv6_ipfilter_rules}" ]; then 89106333Sume ${ipfilter_program:-/sbin/ipf} -6 \ 90106333Sume -f "${ipv6_ipfilter_rules}" ${ipfilter_flags} 91106333Sume fi 9298184Sgordon ;; 9398184Sgordon NetBSD) 9498184Sgordon /sbin/ipf -E -Fa 9598184Sgordon if [ -f /etc/ipf.conf ]; then 9698184Sgordon /sbin/ipf -f /etc/ipf.conf 9798184Sgordon fi 9898184Sgordon if [ -f /etc/ipf6.conf ]; then 9998184Sgordon /sbin/ipf -6 -f /etc/ipf6.conf 10098184Sgordon fi 10198184Sgordon ;; 10298184Sgordon esac 10378344Sobrien} 10478344Sobrien 10578344Sobrienipfilter_stop() 10678344Sobrien{ 107103019Sgordon case ${OSTYPE} in 10898184Sgordon FreeBSD) 10998184Sgordon echo "Saving firewall state tables" 11098184Sgordon ${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags} 11198184Sgordon ;; 11298184Sgordon NetBSD) 11398184Sgordon ;; 11498184Sgordon esac 11598184Sgordon # XXX - The following command is not effective for 'lkm's 11678344Sobrien echo "Disabling ipfilter." 11778344Sobrien /sbin/ipf -D 11878344Sobrien} 11978344Sobrien 12078344Sobrienipfilter_reload() 12178344Sobrien{ 12278344Sobrien echo "Reloading ipfilter rules." 12378344Sobrien 124103019Sgordon case ${OSTYPE} in 12598184Sgordon FreeBSD) 126106333Sume ${ipfilter_program:-/sbin/ipf} -I -Fa 127106333Sume if [ -r "${ipfilter_rules}" ]; then 128106333Sume ${ipfilter_program:-/sbin/ipf} -I \ 129106333Sume -f "${ipfilter_rules}" ${ipfilter_flags} 130106333Sume fi 131111913Sume ${ipfilter_program:-/sbin/ipf} -I -6 -Fa 132106333Sume if [ -r "${ipv6_ipfilter_rules}" ]; then 133106333Sume ${ipfilter_program:-/sbin/ipf} -I -6 \ 134106333Sume -f "${ipv6_ipfilter_rules}" ${ipfilter_flags} 135106333Sume fi 136112500Sume ${ipfilter_program:-/sbin/ipf} -s 13798184Sgordon ;; 13898184Sgordon NetBSD) 13998184Sgordon /sbin/ipf -I -Fa 14098184Sgordon if [ -f /etc/ipf.conf ] && ! /sbin/ipf -I -f /etc/ipf.conf; then 14198184Sgordon err 1 "reload of ipf.conf failed; not swapping to" \ 14298184Sgordon " new ruleset." 14398184Sgordon fi 14498184Sgordon if [ -f /etc/ipf6.conf ] && \ 14598184Sgordon ! /sbin/ipf -I -6 -f /etc/ipf6.conf; then 14698184Sgordon err 1 "reload of ipf6.conf failed; not swapping to" \ 14798184Sgordon " new ruleset." 14898184Sgordon fi 14998184Sgordon /sbin/ipf -s 15098184Sgordon ;; 15198184Sgordon esac 15298184Sgordon 15378344Sobrien} 15478344Sobrien 15598184Sgordonipfilter_resync() 15698184Sgordon{ 157103019Sgordon case ${OSTYPE} in 15898184Sgordon FreeBSD) 15998184Sgordon # Don't resync if ipfilter is not loaded 16098184Sgordon [ sysctl net.inet.ipf.fr_pass > /dev/null 2>&1 ] && return 16198184Sgordon ;; 16298184Sgordon esac 16398184Sgordon ${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} 16498184Sgordon} 16598184Sgordon 16678344Sobrienipfilter_status() 16778344Sobrien{ 16898184Sgordon ${ipfilter_program:-/sbin/ipf} -V 16978344Sobrien} 17078344Sobrien 17178344Sobrienrun_rc_command "$1" 172