ipfilter revision 147808
12061Sjkh#!/bin/sh 238719Sjb# 32061Sjkh# $NetBSD: ipfilter,v 1.10 2001/02/28 17:03:50 lukem Exp $ 438666Sjb# $FreeBSD: head/etc/rc.d/ipfilter 147808 2005-07-07 05:59:44Z jkim $ 532427Sjb# 638666Sjb 738666Sjb# PROVIDE: ipfilter 838666Sjb# REQUIRE: root mountcritlocal 938666Sjb# BEFORE: netif 1038666Sjb# KEYWORD: nojail 1138666Sjb 1238666Sjb. /etc/rc.subr 1338666Sjb 1438666Sjbname="ipfilter" 1538666Sjbrcvar=`set_rcvar` 1638666Sjbload_rc_config $name 1738666Sjbstop_precmd="test -f ${ipfilter_rules} -o -f ${ipv6_ipfilter_rules}" 1832427Sjb 1938666Sjbstart_precmd="ipfilter_prestart" 2038666Sjbstart_cmd="ipfilter_start" 2138666Sjbstop_cmd="ipfilter_stop" 2238666Sjbreload_precmd="$stop_precmd" 2338666Sjbreload_cmd="ipfilter_reload" 2438666Sjbresync_precmd="$stop_precmd" 2517308Speterresync_cmd="ipfilter_resync" 2638666Sjbstatus_precmd="$stop_precmd" 2738666Sjbstatus_cmd="ipfilter_status" 2838666Sjbextra_commands="reload resync status" 2919175Sbde 3038666Sjbipfilter_loaded() 3138666Sjb{ 3238042Sbde if ! kldstat -v | grep "ipfilter$" > /dev/null 2>&1; then 3338666Sjb return 1 3438666Sjb else 3538666Sjb return 0 3638042Sbde fi 3738666Sjb} 3838666Sjb 3917308Speteripfilter_prestart() 4038666Sjb{ 4138666Sjb # load ipfilter kernel module if needed 4238666Sjb if ! ipfilter_loaded; then 4338666Sjb if kldload ipl; then 4417308Speter info 'IP-filter module loaded.' 4538666Sjb else 4638666Sjb err 1 'IP-filter module failed to load.' 4738666Sjb fi 4838666Sjb fi 4938666Sjb 5038666Sjb # check for ipfilter rules 5117308Speter if [ ! -r "${ipfilter_rules}" ] && [ ! -r "${ipv6_ipfilter_rules}" ] 5238666Sjb then 5338666Sjb warn 'IP-filter: NO IPF RULES' 5438666Sjb return 1 5538666Sjb fi 5638666Sjb return 0 5738666Sjb} 5817308Speter 5938666Sjbipfilter_start() 6017308Speter{ 6138666Sjb echo "Enabling ipfilter." 6217308Speter if [ `sysctl -n net.inet.ipf.fr_running` -le 0 ]; then 6327910Sasami ${ipfilter_program:-/sbin/ipf} -E 6438666Sjb fi 6538666Sjb ${ipfilter_program:-/sbin/ipf} -Fa 6638666Sjb if [ -r "${ipfilter_rules}" ]; then 6727910Sasami ${ipfilter_program:-/sbin/ipf} \ 6838666Sjb -f "${ipfilter_rules}" ${ipfilter_flags} 6938666Sjb fi 7038666Sjb ${ipfilter_program:-/sbin/ipf} -6 -Fa 7127910Sasami if [ -r "${ipv6_ipfilter_rules}" ]; then 7238666Sjb ${ipfilter_program:-/sbin/ipf} -6 \ 7338666Sjb -f "${ipv6_ipfilter_rules}" ${ipfilter_flags} 7438666Sjb fi 7538666Sjb} 7638666Sjb 7738666Sjbipfilter_stop() 7838666Sjb{ 7917308Speter # XXX - The ipf -D command is not effective for 'lkm's 8038666Sjb if [ `sysctl -n net.inet.ipf.fr_running` -eq 1 ]; then 8138666Sjb echo "Saving firewall state tables" 8238666Sjb ${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags} 8327910Sasami echo "Disabling ipfilter." 8438666Sjb ${ipfilter_program:-/sbin/ipf} -D 8538666Sjb fi 8627910Sasami} 8738666Sjb 8827910Sasamiipfilter_reload() 8917308Speter{ 9038666Sjb echo "Reloading ipfilter rules." 9138666Sjb 9217308Speter ${ipfilter_program:-/sbin/ipf} -I -Fa 9338719Sjb if [ -r "${ipfilter_rules}" ]; then 9438719Sjb ${ipfilter_program:-/sbin/ipf} -I \ 952061Sjkh -f "${ipfilter_rules}" ${ipfilter_flags} 9617308Speter fi 9738666Sjb ${ipfilter_program:-/sbin/ipf} -I -6 -Fa 9817308Speter if [ -r "${ipv6_ipfilter_rules}" ]; then 9938666Sjb ${ipfilter_program:-/sbin/ipf} -I -6 \ 10038666Sjb -f "${ipv6_ipfilter_rules}" ${ipfilter_flags} 10138666Sjb fi 1022302Spaul ${ipfilter_program:-/sbin/ipf} -s 10317308Speter 10438666Sjb} 10538666Sjb 10617308Speteripfilter_resync() 10738666Sjb{ 10838666Sjb # Don't resync if ipfilter is not loaded 10938666Sjb if ! ipfilter_loaded; then 11017308Speter return 11138666Sjb fi 11238666Sjb ${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} 1132061Sjkh} 11417308Speter 11538666Sjbipfilter_status() 11638666Sjb{ 11717308Speter ${ipfilter_program:-/sbin/ipf} -V 11838666Sjb} 1193626Swollman 12017308Speterrun_rc_command "$1" 12138666Sjb