ipfilter revision 128470
1139804Simp#!/bin/sh 21541Srgrimes# 31541Srgrimes# $NetBSD: ipfilter,v 1.10 2001/02/28 17:03:50 lukem Exp $ 41541Srgrimes# $FreeBSD: head/etc/rc.d/ipfilter 128470 2004-04-20 13:30:49Z darrenr $ 51541Srgrimes# 61541Srgrimes 71541Srgrimes# PROVIDE: ipfilter 81541Srgrimes# REQUIRE: root mountcritlocal 91541Srgrimes# BEFORE: netif 101541Srgrimes# KEYWORD: FreeBSD nojail 111541Srgrimes 121541Srgrimes. /etc/rc.subr 131541Srgrimes 141541Srgrimesname="ipfilter" 151541Srgrimesrcvar=`set_rcvar` 161541Srgrimesload_rc_config $name 171541Srgrimesstop_precmd="test -f ${ipfilter_rules} -o -f ${ipv6_ipfilter_rules}" 181541Srgrimes 191541Srgrimesstart_precmd="ipfilter_prestart" 201541Srgrimesstart_cmd="ipfilter_start" 211541Srgrimesstop_cmd="ipfilter_stop" 221541Srgrimesreload_precmd="$stop_precmd" 231541Srgrimesreload_cmd="ipfilter_reload" 241541Srgrimesresync_precmd="$stop_precmd" 251541Srgrimesresync_cmd="ipfilter_resync" 261541Srgrimesstatus_precmd="$stop_precmd" 271541Srgrimesstatus_cmd="ipfilter_status" 281541Srgrimesextra_commands="reload resync status" 291541Srgrimes 301541Srgrimesipfilter_loaded() 311541Srgrimes{ 321541Srgrimes if ! kldstat -v | grep "IP Filter" > /dev/null 2>&1; then 331541Srgrimes return 1 341541Srgrimes else 351541Srgrimes return 0 361541Srgrimes fi 37116182Sobrien} 38116182Sobrien 39116182Sobrienipfilter_prestart() 40180610Srwatson{ 41180610Srwatson # load ipfilter kernel module if needed 421541Srgrimes if ! ipfilter_loaded; then 4329680Sgibbs if kldload ipl; then 44180616Srwatson info 'IP-filter module loaded.' 45160509Sjhb else 46160509Sjhb err 1 'IP-filter module failed to load.' 4729680Sgibbs fi 481541Srgrimes fi 491541Srgrimes 501541Srgrimes # check for ipfilter rules 511541Srgrimes if [ ! -r "${ipfilter_rules}" ] && [ ! -r "${ipv6_ipfilter_rules}" ] 521541Srgrimes then 531541Srgrimes warn 'IP-filter: NO IPF RULES' 5429680Sgibbs return 1 5529680Sgibbs fi 5660938Sjake return 0 5729680Sgibbs} 58160509Sjhb 59160509Sjhbipfilter_start() 6029680Sgibbs{ 6129680Sgibbs echo "Enabling ipfilter." 6292723Salfred if [ `sysctl -n net.inet.ipf.fr_running` -eq 0 ]; then 63160509Sjhb ${ipfilter_program:-/sbin/ipf} -E 64180616Srwatson fi 65180616Srwatson ${ipfilter_program:-/sbin/ipf} -Fa 66180616Srwatson if [ -r "${ipfilter_rules}" ]; then 67180616Srwatson ${ipfilter_program:-/sbin/ipf} \ 68180616Srwatson -f "${ipfilter_rules}" ${ipfilter_flags} 6929680Sgibbs fi 70180616Srwatson ${ipfilter_program:-/sbin/ipf} -6 -Fa 71180616Srwatson if [ -r "${ipv6_ipfilter_rules}" ]; then 72180616Srwatson ${ipfilter_program:-/sbin/ipf} -6 \ 73180616Srwatson -f "${ipv6_ipfilter_rules}" ${ipfilter_flags} 74180616Srwatson fi 75180616Srwatson} 76180673Srwatson 77180673Srwatsonipfilter_stop() 78180673Srwatson{ 79180673Srwatson # XXX - The ipf -D command is not effective for 'lkm's 80180673Srwatson if [ `sysctl -n net.inet.ipf.fr_running` -eq 1 ]; then 81180673Srwatson echo "Saving firewall state tables" 82180673Srwatson ${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags} 83180673Srwatson echo "Disabling ipfilter." 84180673Srwatson ${ipfilter_program:-/sbin/ipf} -D 85180673Srwatson fi 86180673Srwatson} 87180673Srwatson 88180616Srwatsonipfilter_reload() 89180673Srwatson{ 90180673Srwatson echo "Reloading ipfilter rules." 91180616Srwatson 92180616Srwatson ${ipfilter_program:-/sbin/ipf} -I -Fa 93180616Srwatson if [ -r "${ipfilter_rules}" ]; then 9429680Sgibbs ${ipfilter_program:-/sbin/ipf} -I \ 9529680Sgibbs -f "${ipfilter_rules}" ${ipfilter_flags} 9629680Sgibbs fi 9751684Sn_hibma ${ipfilter_program:-/sbin/ipf} -I -6 -Fa 98180616Srwatson if [ -r "${ipv6_ipfilter_rules}" ]; then 9929680Sgibbs ${ipfilter_program:-/sbin/ipf} -I -6 \ 100160509Sjhb -f "${ipv6_ipfilter_rules}" ${ipfilter_flags} 101160509Sjhb fi 102160509Sjhb ${ipfilter_program:-/sbin/ipf} -s 103160509Sjhb 10451684Sn_hibma} 105160509Sjhb 10629680Sgibbsipfilter_resync() 10729680Sgibbs{ 108180616Srwatson # Don't resync if ipfilter is not loaded 10951684Sn_hibma if ! ipfilter_loaded; then 110180616Srwatson return 111180616Srwatson fi 112180673Srwatson ${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} 113180616Srwatson} 114180616Srwatson 115180616Srwatsonipfilter_status() 116180616Srwatson{ 117180616Srwatson ${ipfilter_program:-/sbin/ipf} -V 11829680Sgibbs} 119160509Sjhb 12029680Sgibbsrun_rc_command "$1" 12129680Sgibbs