etc/rc.d/ipfilter

78344Sobrien#!/bin/sh
78344Sobrien#
98184Sgordon# $NetBSD: ipfilter,v 1.10 2001/02/28 17:03:50 lukem Exp $
98184Sgordon# $FreeBSD: head/etc/rc.d/ipfilter 120515 2003-09-27 13:50:47Z mux $
78344Sobrien#
78344Sobrien
78344Sobrien# PROVIDE: ipfilter
118219Smtm# REQUIRE: root beforenetlkm mountcritlocal ipmon
113959Smtm# BEFORE:  netif
98184Sgordon# KEYWORD: FreeBSD NetBSD
78344Sobrien
78344Sobrien. /etc/rc.subr
78344Sobrien
78344Sobrienname="ipfilter"
98184Sgordonrcvar=`set_rcvar`
98184Sgordonload_rc_config $name
98184Sgordon
103019Sgordoncase ${OSTYPE} in
98184SgordonFreeBSD)
106333Sume	stop_precmd="test -f ${ipfilter_rules} -o -f ${ipv6_ipfilter_rules}"
98184Sgordon	;;
98184SgordonNetBSD)
98184Sgordon	stop_precmd="test -f /etc/ipf.conf -o -f /etc/ipf6.conf"
98184Sgordon	;;
98184Sgordonesac
98184Sgordon
78344Sobrienstart_precmd="ipfilter_prestart"
78344Sobrienstart_cmd="ipfilter_start"
78344Sobrienstop_cmd="ipfilter_stop"
78344Sobrienreload_precmd="$stop_precmd"
78344Sobrienreload_cmd="ipfilter_reload"
98184Sgordonresync_precmd="$stop_precmd"
98184Sgordonresync_cmd="ipfilter_resync"
78344Sobrienstatus_precmd="$stop_precmd"
78344Sobrienstatus_cmd="ipfilter_status"
98184Sgordonextra_commands="reload resync status"
78344Sobrien
78344Sobrienipfilter_prestart()
78344Sobrien{
103019Sgordoncase ${OSTYPE} in
98184SgordonFreeBSD)
98184Sgordon	# load ipfilter kernel module if needed
120515Smux	if ! kldstat -v | grep "IP Filter" > /dev/null 2>&1; then
104980Sschweikh		if kldload ipl; then
114271Smtm			info 'IP-filter module loaded.'
98184Sgordon		else
113959Smtm			err 1 'IP-filter module failed to load.'
98184Sgordon		fi
98184Sgordon	fi
98184Sgordon
98184Sgordon	# check for ipfilter rules
106333Sume	if [ ! -r "${ipfilter_rules}" ] && [ ! -r "${ipv6_ipfilter_rules}" ]
106333Sume	then
98184Sgordon		warn 'IP-filter: NO IPF RULES'
98184Sgordon		return 1
98184Sgordon	fi
98184Sgordon	;;
98184SgordonNetBSD)
78344Sobrien	if [ ! -f /etc/ipf.conf ] && [ ! -f /etc/ipf6.conf ]; then
78344Sobrien		warn "/etc/ipf*.conf not readable; ipfilter start aborted."
78344Sobrien			#
78344Sobrien			# If booting directly to multiuser, send SIGTERM to
78344Sobrien			# the parent (/etc/rc) to abort the boot
78344Sobrien			#
78344Sobrien		if [ "$autoboot" = yes ]; then
78344Sobrien			echo "ERROR: ABORTING BOOT (sending SIGTERM to parent)!"
78344Sobrien			kill -TERM $$
78344Sobrien			exit 1
78344Sobrien		fi
78344Sobrien		return 1
78344Sobrien	fi
98184Sgordon	;;
98184Sgordonesac
78344Sobrien	return 0
78344Sobrien}
78344Sobrien
78344Sobrienipfilter_start()
78344Sobrien{
78344Sobrien	echo "Enabling ipfilter."
103019Sgordon	case ${OSTYPE} in
98184Sgordon	FreeBSD)
120515Smux		if [ `sysctl -n net.inet.ipf.fr_running` -eq 0 ]; then
120515Smux			${ipfilter_program:-/sbin/ipf} -E
120515Smux		fi
120515Smux		${ipfilter_program:-/sbin/ipf} -Fa
106333Sume		if [ -r "${ipfilter_rules}" ]; then
106333Sume			${ipfilter_program:-/sbin/ipf} \
106333Sume			    -f "${ipfilter_rules}" ${ipfilter_flags}
106333Sume		fi
120515Smux		${ipfilter_program:-/sbin/ipf} -6 -Fa
106333Sume		if [ -r "${ipv6_ipfilter_rules}" ]; then
106333Sume			${ipfilter_program:-/sbin/ipf} -6 \
106333Sume			    -f "${ipv6_ipfilter_rules}" ${ipfilter_flags}
106333Sume		fi
98184Sgordon		;;
98184Sgordon	NetBSD)
98184Sgordon		/sbin/ipf -E -Fa
98184Sgordon		if [ -f /etc/ipf.conf ]; then
98184Sgordon			/sbin/ipf -f /etc/ipf.conf
98184Sgordon		fi
98184Sgordon		if [ -f /etc/ipf6.conf ]; then
98184Sgordon			/sbin/ipf -6 -f /etc/ipf6.conf
98184Sgordon		fi
98184Sgordon		;;
98184Sgordon	esac
78344Sobrien}
78344Sobrien
78344Sobrienipfilter_stop()
78344Sobrien{
120515Smux	# XXX - The ipf -D command is not effective for 'lkm's
120515Smux	if [ `sysctl -n net.inet.ipf.fr_running` -eq 1 ]; then
120515Smux		case ${OSTYPE} in
120515Smux		FreeBSD)
120515Smux			echo "Saving firewall state tables"
120515Smux			${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags}
120515Smux			echo "Disabling ipfilter."
120515Smux			${ipfilter_program:-/sbin/ipf} -D
120515Smux			;;
120515Smux		NetBSD)
120515Smux			echo "Disabling ipfilter."
120515Smux			/sbin/ipf -D
120515Smux			;;
120515Smux		esac
120515Smux	fi
78344Sobrien}
78344Sobrien
78344Sobrienipfilter_reload()
78344Sobrien{
78344Sobrien	echo "Reloading ipfilter rules."
78344Sobrien
103019Sgordon	case ${OSTYPE} in
98184Sgordon	FreeBSD)
106333Sume		${ipfilter_program:-/sbin/ipf} -I -Fa
106333Sume		if [ -r "${ipfilter_rules}" ]; then
106333Sume			${ipfilter_program:-/sbin/ipf} -I \
106333Sume			    -f "${ipfilter_rules}" ${ipfilter_flags}
106333Sume		fi
111913Sume		${ipfilter_program:-/sbin/ipf} -I -6 -Fa
106333Sume		if [ -r "${ipv6_ipfilter_rules}" ]; then
106333Sume			${ipfilter_program:-/sbin/ipf} -I -6 \
106333Sume			    -f "${ipv6_ipfilter_rules}" ${ipfilter_flags}
106333Sume		fi
112500Sume		${ipfilter_program:-/sbin/ipf} -s
98184Sgordon		;;
98184Sgordon	NetBSD)
98184Sgordon		/sbin/ipf -I -Fa
98184Sgordon		if [ -f /etc/ipf.conf ] && ! /sbin/ipf -I -f /etc/ipf.conf; then
98184Sgordon			err 1 "reload of ipf.conf failed; not swapping to" \
98184Sgordon			    " new ruleset."
98184Sgordon		fi
98184Sgordon		if [ -f /etc/ipf6.conf ] && \
98184Sgordon		    ! /sbin/ipf -I -6 -f /etc/ipf6.conf; then
98184Sgordon			err 1 "reload of ipf6.conf failed; not swapping to" \
98184Sgordon			    " new ruleset."
98184Sgordon		fi
98184Sgordon		/sbin/ipf -s
98184Sgordon		;;
98184Sgordon	esac
98184Sgordon
78344Sobrien}
78344Sobrien
98184Sgordonipfilter_resync()
98184Sgordon{
103019Sgordon	case ${OSTYPE} in
98184Sgordon	FreeBSD)
98184Sgordon		# Don't resync if ipfilter is not loaded
120515Smux		[ kldstat -v | grep "IP Filter" > /dev/null 2>&1 ] && return
98184Sgordon		;;
98184Sgordon	esac
98184Sgordon	${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags}
98184Sgordon}
98184Sgordon
78344Sobrienipfilter_status()
78344Sobrien{
98184Sgordon	${ipfilter_program:-/sbin/ipf} -V
78344Sobrien}
78344Sobrien
78344Sobrienrun_rc_command "$1"