etc/rc.d/ipfilter

2061Sjkh#!/bin/sh
33611Sjb#
2061Sjkh# $NetBSD: ipfilter,v 1.10 2001/02/28 17:03:50 lukem Exp $
33611Sjb# $FreeBSD: head/etc/rc.d/ipfilter 164175 2006-11-11 10:48:34Z ceri $
32427Sjb#
32427Sjb
33611Sjb# PROVIDE: ipfilter
33611Sjb# REQUIRE: root mountcritlocal
32427Sjb# BEFORE:  netif
32427Sjb# KEYWORD: nojail
2061Sjkh
15603Smarkm. /etc/rc.subr
30169Sjkh
20710Sasaminame="ipfilter"
20710Sasamircvar=`set_rcvar`
3197Scsgrload_rc_config $name
2061Sjkhstop_precmd="test -f ${ipfilter_rules} -o -f ${ipv6_ipfilter_rules}"
12483Speter
33133Sadamstart_precmd="ipfilter_prestart"
2160Scsgrstart_cmd="ipfilter_start"
2834Swollmanstop_cmd="ipfilter_stop"
2061Sjkhreload_precmd="$stop_precmd"
2061Sjkhreload_cmd="ipfilter_reload"
2160Scsgrresync_precmd="$stop_precmd"
17308Speterresync_cmd="ipfilter_resync"
19320Sadamstatus_precmd="$stop_precmd"
27788Sasamistatus_cmd="ipfilter_status"
30169Sjkhextra_commands="reload resync status"
25980Sasami
1594Srgrimesipfilter_loaded()
17308Speter{
17308Speter	if ! kldstat -v | grep "ipfilter$" > /dev/null 2>&1; then
27910Sasami		return 1
27910Sasami	else
27910Sasami		return 0
17308Speter	fi
17308Speter}
17308Speter
19175Sbdeipfilter_prestart()
19175Sbde{
19175Sbde	# load ipfilter kernel module if needed
19175Sbde	if ! ipfilter_loaded; then
17308Speter		if kldload ipl; then
27910Sasami			info 'IP-filter module loaded.'
25647Sbde		else
27910Sasami			err 1 'IP-filter module failed to load.'
17308Speter		fi
2061Sjkh	fi
2061Sjkh
1594Srgrimes	# check for ipfilter rules
30169Sjkh	if [ ! -r "${ipfilter_rules}" ] && [ ! -r "${ipv6_ipfilter_rules}" ]
30169Sjkh	then
30169Sjkh		warn 'IP-filter: NO IPF RULES'
30169Sjkh		return 1
30169Sjkh	fi
30169Sjkh	return 0
30169Sjkh}
30169Sjkh
7407Srgrimesipfilter_start()
7108Sphk{
7108Sphk	echo "Enabling ipfilter."
7108Sphk	if [ `sysctl -n net.inet.ipf.fr_running` -le 0 ]; then
7407Srgrimes		${ipfilter_program:-/sbin/ipf} -E
7407Srgrimes	fi
7407Srgrimes	${ipfilter_program:-/sbin/ipf} -Fa
7108Sphk	if [ -r "${ipfilter_rules}" ]; then
2061Sjkh		${ipfilter_program:-/sbin/ipf} \
2061Sjkh		    -f "${ipfilter_rules}" ${ipfilter_flags}
2061Sjkh	fi
17308Speter	${ipfilter_program:-/sbin/ipf} -6 -Fa
2061Sjkh	if [ -r "${ipv6_ipfilter_rules}" ]; then
2061Sjkh		${ipfilter_program:-/sbin/ipf} -6 \
2061Sjkh		    -f "${ipv6_ipfilter_rules}" ${ipfilter_flags}
2061Sjkh	fi
2061Sjkh}
30169Sjkh
30169Sjkhipfilter_stop()
2626Scsgr{
2061Sjkh	# XXX - The ipf -D command is not effective for 'lkm's
2061Sjkh	if [ `sysctl -n net.inet.ipf.fr_running` -eq 1 ]; then
2061Sjkh		echo "Saving firewall state tables"
2061Sjkh		${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags}
2061Sjkh		echo "Disabling ipfilter."
2061Sjkh		${ipfilter_program:-/sbin/ipf} -D
19320Sadam	fi
2061Sjkh}
2061Sjkh
2061Sjkhipfilter_reload()
2061Sjkh{
2061Sjkh	echo "Reloading ipfilter rules."
2061Sjkh
2061Sjkh	${ipfilter_program:-/sbin/ipf} -I -Fa
2061Sjkh	if [ -r "${ipfilter_rules}" ]; then
2061Sjkh		${ipfilter_program:-/sbin/ipf} -I \
2061Sjkh		    -f "${ipfilter_rules}" ${ipfilter_flags}
2061Sjkh		if [ $? -ne 0 ]; then
2834Swollman			err 1 'Load of rules into alternate set failed; aborting reload'
2834Swollman		fi
2834Swollman	fi
2834Swollman	${ipfilter_program:-/sbin/ipf} -I -6 -Fa
2834Swollman	if [ -r "${ipv6_ipfilter_rules}" ]; then
2834Swollman		${ipfilter_program:-/sbin/ipf} -I -6 \
1594Srgrimes		    -f "${ipv6_ipfilter_rules}" ${ipfilter_flags}
4486Sphk		if [ $? -ne 0 ]; then
4486Sphk			err 1 'Load of IPv6 rules into alternate set failed; aborting reload'
4486Sphk		fi
4486Sphk	fi
4486Sphk	${ipfilter_program:-/sbin/ipf} -s
2061Sjkh
2061Sjkh}
25979Sjkh
25979Sjkhipfilter_resync()
25979Sjkh{
25979Sjkh	# Don't resync if ipfilter is not loaded
2061Sjkh	if ! ipfilter_loaded; then
25979Sjkh		 return
2061Sjkh	fi
2061Sjkh	${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags}
17308Speter}
2061Sjkh
2061Sjkhipfilter_status()
2061Sjkh{
2061Sjkh	${ipfilter_program:-/sbin/ipf} -V
2061Sjkh}
12483Speter
12483Speterrun_rc_command "$1"
12483Speter