ipfilter revision 124618
178344Sobrien#!/bin/sh 278344Sobrien# 398184Sgordon# $NetBSD: ipfilter,v 1.10 2001/02/28 17:03:50 lukem Exp $ 498184Sgordon# $FreeBSD: head/etc/rc.d/ipfilter 124618 2004-01-17 10:40:45Z mtm $ 578344Sobrien# 678344Sobrien 778344Sobrien# PROVIDE: ipfilter 8118219Smtm# REQUIRE: root beforenetlkm mountcritlocal ipmon 9113959Smtm# BEFORE: netif 10124616Smtm# KEYWORD: FreeBSD 1178344Sobrien 1278344Sobrien. /etc/rc.subr 1378344Sobrien 1478344Sobrienname="ipfilter" 1598184Sgordonrcvar=`set_rcvar` 1698184Sgordonload_rc_config $name 17124618Smtmstop_precmd="test -f ${ipfilter_rules} -o -f ${ipv6_ipfilter_rules}" 1898184Sgordon 1978344Sobrienstart_precmd="ipfilter_prestart" 2078344Sobrienstart_cmd="ipfilter_start" 2178344Sobrienstop_cmd="ipfilter_stop" 2278344Sobrienreload_precmd="$stop_precmd" 2378344Sobrienreload_cmd="ipfilter_reload" 2498184Sgordonresync_precmd="$stop_precmd" 2598184Sgordonresync_cmd="ipfilter_resync" 2678344Sobrienstatus_precmd="$stop_precmd" 2778344Sobrienstatus_cmd="ipfilter_status" 2898184Sgordonextra_commands="reload resync status" 2978344Sobrien 3078344Sobrienipfilter_prestart() 3178344Sobrien{ 3298184Sgordon # load ipfilter kernel module if needed 33120515Smux if ! kldstat -v | grep "IP Filter" > /dev/null 2>&1; then 34104980Sschweikh if kldload ipl; then 35114271Smtm info 'IP-filter module loaded.' 3698184Sgordon else 37113959Smtm err 1 'IP-filter module failed to load.' 3898184Sgordon fi 3998184Sgordon fi 4098184Sgordon 4198184Sgordon # check for ipfilter rules 42106333Sume if [ ! -r "${ipfilter_rules}" ] && [ ! -r "${ipv6_ipfilter_rules}" ] 43106333Sume then 4498184Sgordon warn 'IP-filter: NO IPF RULES' 4598184Sgordon return 1 4698184Sgordon fi 4778344Sobrien return 0 4878344Sobrien} 4978344Sobrien 5078344Sobrienipfilter_start() 5178344Sobrien{ 5278344Sobrien echo "Enabling ipfilter." 53124618Smtm if [ `sysctl -n net.inet.ipf.fr_running` -eq 0 ]; then 54124618Smtm ${ipfilter_program:-/sbin/ipf} -E 55124618Smtm fi 56124618Smtm ${ipfilter_program:-/sbin/ipf} -Fa 57124618Smtm if [ -r "${ipfilter_rules}" ]; then 58124618Smtm ${ipfilter_program:-/sbin/ipf} \ 59124618Smtm -f "${ipfilter_rules}" ${ipfilter_flags} 60124618Smtm fi 61124618Smtm ${ipfilter_program:-/sbin/ipf} -6 -Fa 62124618Smtm if [ -r "${ipv6_ipfilter_rules}" ]; then 63124618Smtm ${ipfilter_program:-/sbin/ipf} -6 \ 64124618Smtm -f "${ipv6_ipfilter_rules}" ${ipfilter_flags} 65124618Smtm fi 6678344Sobrien} 6778344Sobrien 6878344Sobrienipfilter_stop() 6978344Sobrien{ 70120515Smux # XXX - The ipf -D command is not effective for 'lkm's 71120515Smux if [ `sysctl -n net.inet.ipf.fr_running` -eq 1 ]; then 72124618Smtm echo "Saving firewall state tables" 73124618Smtm ${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags} 74124618Smtm echo "Disabling ipfilter." 75124618Smtm ${ipfilter_program:-/sbin/ipf} -D 76120515Smux fi 7778344Sobrien} 7878344Sobrien 7978344Sobrienipfilter_reload() 8078344Sobrien{ 8178344Sobrien echo "Reloading ipfilter rules." 8278344Sobrien 83124618Smtm ${ipfilter_program:-/sbin/ipf} -I -Fa 84124618Smtm if [ -r "${ipfilter_rules}" ]; then 85124618Smtm ${ipfilter_program:-/sbin/ipf} -I \ 86124618Smtm -f "${ipfilter_rules}" ${ipfilter_flags} 87124618Smtm fi 88124618Smtm ${ipfilter_program:-/sbin/ipf} -I -6 -Fa 89124618Smtm if [ -r "${ipv6_ipfilter_rules}" ]; then 90124618Smtm ${ipfilter_program:-/sbin/ipf} -I -6 \ 91124618Smtm -f "${ipv6_ipfilter_rules}" ${ipfilter_flags} 92124618Smtm fi 93124618Smtm ${ipfilter_program:-/sbin/ipf} -s 9498184Sgordon 9578344Sobrien} 9678344Sobrien 9798184Sgordonipfilter_resync() 9898184Sgordon{ 99124618Smtm # Don't resync if ipfilter is not loaded 100124618Smtm if ! kldstat -v | grep "IP Filter" > /dev/null 2>&1; then 101124618Smtm return 102124618Smtm fi 10398184Sgordon ${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} 10498184Sgordon} 10598184Sgordon 10678344Sobrienipfilter_status() 10778344Sobrien{ 10898184Sgordon ${ipfilter_program:-/sbin/ipf} -V 10978344Sobrien} 11078344Sobrien 11178344Sobrienrun_rc_command "$1" 112