ipfilter revision 98184
178344Sobrien#!/bin/sh 278344Sobrien# 398184Sgordon# $NetBSD: ipfilter,v 1.10 2001/02/28 17:03:50 lukem Exp $ 498184Sgordon# $FreeBSD: head/etc/rc.d/ipfilter 98184 2002-06-13 22:14:37Z gordon $ 578344Sobrien# 678344Sobrien 778344Sobrien# PROVIDE: ipfilter 878344Sobrien# REQUIRE: root beforenetlkm mountcritlocal tty 998184Sgordon# KEYWORD: FreeBSD NetBSD 1078344Sobrien 1178344Sobrien. /etc/rc.subr 1278344Sobrien 1378344Sobrienname="ipfilter" 1498184Sgordonrcvar=`set_rcvar` 1598184Sgordonload_rc_config $name 1698184Sgordon 1798184Sgordoncase `${CMD_OSTYPE}` in 1898184SgordonFreeBSD) 1998184Sgordon stop_precmd="test -f ${ipfilter_rules}" 2098184Sgordon ;; 2198184SgordonNetBSD) 2298184Sgordon stop_precmd="test -f /etc/ipf.conf -o -f /etc/ipf6.conf" 2398184Sgordon ;; 2498184Sgordonesac 2598184Sgordon 2678344Sobrienstart_precmd="ipfilter_prestart" 2778344Sobrienstart_cmd="ipfilter_start" 2878344Sobrienstop_cmd="ipfilter_stop" 2978344Sobrienreload_precmd="$stop_precmd" 3078344Sobrienreload_cmd="ipfilter_reload" 3198184Sgordonresync_precmd="$stop_precmd" 3298184Sgordonresync_cmd="ipfilter_resync" 3378344Sobrienstatus_precmd="$stop_precmd" 3478344Sobrienstatus_cmd="ipfilter_status" 3598184Sgordonextra_commands="reload resync status" 3678344Sobrien 3778344Sobrienipfilter_prestart() 3878344Sobrien{ 3998184Sgordoncase `${CMD_OSTYPE}` in 4098184SgordonFreeBSD) 4198184Sgordon # load ipfilter kernel module if needed 4298184Sgordon if ! sysctl net.inet.ipf.fr_pass > /dev/null 2>&1; then 4398184Sgordon if kldload ipl ; then 4498184Sgordon echo 'IP-filter module loaded.' 4598184Sgordon else 4698184Sgordon warn 'IP-filter module failed to load.' 4798184Sgordon return 1 4898184Sgordon fi 4998184Sgordon fi 5098184Sgordon 5198184Sgordon # check for ipfilter rules 5298184Sgordon if [ ! -r "${ipfilter_rules}" ]; then 5398184Sgordon warn 'IP-filter: NO IPF RULES' 5498184Sgordon return 1 5598184Sgordon fi 5698184Sgordon ;; 5798184SgordonNetBSD) 5878344Sobrien if [ ! -f /etc/ipf.conf ] && [ ! -f /etc/ipf6.conf ]; then 5978344Sobrien warn "/etc/ipf*.conf not readable; ipfilter start aborted." 6078344Sobrien # 6178344Sobrien # If booting directly to multiuser, send SIGTERM to 6278344Sobrien # the parent (/etc/rc) to abort the boot 6378344Sobrien # 6478344Sobrien if [ "$autoboot" = yes ]; then 6578344Sobrien echo "ERROR: ABORTING BOOT (sending SIGTERM to parent)!" 6678344Sobrien kill -TERM $$ 6778344Sobrien exit 1 6878344Sobrien fi 6978344Sobrien return 1 7078344Sobrien fi 7198184Sgordon ;; 7298184Sgordonesac 7378344Sobrien return 0 7478344Sobrien} 7578344Sobrien 7678344Sobrienipfilter_start() 7778344Sobrien{ 7878344Sobrien echo "Enabling ipfilter." 7998184Sgordon case `${CMD_OSTYPE}` in 8098184Sgordon FreeBSD) 8198184Sgordon ${ipfilter_program:-/sbin/ipf} -Fa -f \ 8298184Sgordon "${ipfilter_rules}" ${ipfilter_flags} 8398184Sgordon ;; 8498184Sgordon NetBSD) 8598184Sgordon /sbin/ipf -E -Fa 8698184Sgordon if [ -f /etc/ipf.conf ]; then 8798184Sgordon /sbin/ipf -f /etc/ipf.conf 8898184Sgordon fi 8998184Sgordon if [ -f /etc/ipf6.conf ]; then 9098184Sgordon /sbin/ipf -6 -f /etc/ipf6.conf 9198184Sgordon fi 9298184Sgordon ;; 9398184Sgordon esac 9478344Sobrien} 9578344Sobrien 9678344Sobrienipfilter_stop() 9778344Sobrien{ 9898184Sgordon case `${CMD_OSTYPE}` in 9998184Sgordon FreeBSD) 10098184Sgordon echo "Saving firewall state tables" 10198184Sgordon ${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags} 10298184Sgordon ;; 10398184Sgordon NetBSD) 10498184Sgordon ;; 10598184Sgordon esac 10698184Sgordon # XXX - The following command is not effective for 'lkm's 10778344Sobrien echo "Disabling ipfilter." 10878344Sobrien /sbin/ipf -D 10978344Sobrien} 11078344Sobrien 11178344Sobrienipfilter_reload() 11278344Sobrien{ 11378344Sobrien echo "Reloading ipfilter rules." 11478344Sobrien 11598184Sgordon case `${CMD_OSTYPE}` in 11698184Sgordon FreeBSD) 11798184Sgordon ${ipfilter_program:-/sbin/ipf} -I -Fa -f \ 11898184Sgordon "${ipfilter_rules}" ${ipfilter_flags} 11998184Sgordon ;; 12098184Sgordon NetBSD) 12198184Sgordon /sbin/ipf -I -Fa 12298184Sgordon if [ -f /etc/ipf.conf ] && ! /sbin/ipf -I -f /etc/ipf.conf; then 12398184Sgordon err 1 "reload of ipf.conf failed; not swapping to" \ 12498184Sgordon " new ruleset." 12598184Sgordon fi 12698184Sgordon if [ -f /etc/ipf6.conf ] && \ 12798184Sgordon ! /sbin/ipf -I -6 -f /etc/ipf6.conf; then 12898184Sgordon err 1 "reload of ipf6.conf failed; not swapping to" \ 12998184Sgordon " new ruleset." 13098184Sgordon fi 13198184Sgordon /sbin/ipf -s 13298184Sgordon ;; 13398184Sgordon esac 13498184Sgordon 13578344Sobrien} 13678344Sobrien 13798184Sgordonipfilter_resync() 13898184Sgordon{ 13998184Sgordon case `${CMD_OSTYPE}` in 14098184Sgordon FreeBSD) 14198184Sgordon # Don't resync if ipfilter is not loaded 14298184Sgordon [ sysctl net.inet.ipf.fr_pass > /dev/null 2>&1 ] && return 14398184Sgordon ;; 14498184Sgordon esac 14598184Sgordon ${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} 14698184Sgordon} 14798184Sgordon 14878344Sobrienipfilter_status() 14978344Sobrien{ 15098184Sgordon ${ipfilter_program:-/sbin/ipf} -V 15178344Sobrien} 15278344Sobrien 15378344Sobrienrun_rc_command "$1" 154