second part of the patches to complete ipf changes to rc

PR: multiple Submitted by: Arjan de Vet <devet@devet.org>
svn path=/head/; revision=86856
2001-11-24 15:36:30 +00:00 · 2001-11-24 15:36:30 +00:00 · 2129325c09 · 2020-12-20 02:59:44 +00:00
commit 2129325c09
parent 2c9fb90995
3 changed files with 104 additions and 121 deletions
--- a/etc/defaults/rc.conf
+++ b/etc/defaults/rc.conf
@ -61,25 +61,21 @@ natd_enable="NO"                # Enable natd (if firewall_enable == YES).
 natd_interface="fxp0"           # Public interface or IPaddress to use.
 natd_flags=""                   # Additional flags for natd.
 ipfilter_enable="NO"		# Set to YES to enable ipfilter functionality
-ipfilter_program="/sbin/ipf -Fa -f"
-				# program and how to specify the rules file,
-				# see /etc/rc.network (pass1) for details
+ipfilter_program="/sbin/ipf"	# where the ipfilter program lives
 ipfilter_rules="/etc/ipf.rules"	# rules definition file for ipfilter, see
 				# /usr/src/contrib/ipfilter/rules for examples
-ipfilter_flags="-E"		# should be *empty* when ipf is _not_ a module
-				# (i.e. compiled into the kernel) to
-				# avoid a warning about "already initialized"
-ipnat_enable="NO"		# Set to YES for ipnat; needs ipfilter, too!
-ipnat_program="/sbin/ipnat -CF -f" # program and how to specify rules file
+ipfilter_flags=""		# additional flags for ipfilter
+ipnat_enable="NO"		# Set to YES to enable ipnat functionality
+ipnat_program="/sbin/ipnat"	# where the ipnat program lives
 ipnat_rules="/etc/ipnat.rules"	# rules definition file for ipnat
 ipnat_flags=""			# additional flags for ipnat
-ipfs_enable="NO"		# Set to YES to enable saving and restoring 
-				# of state tables at shutdown and boot
-ipfs_flags=""			# additional flags for ipfs
-ipfs_program="/sbin/ipfs"	# where the ipfs program lives
-ipmon_enable="NO"		# Set to YES for ipmon; needs ipfilter, too!
+ipmon_enable="NO"		# Set to YES for ipmon; needs ipfilter or ipnat
 ipmon_program="/sbin/ipmon"	# where the ipfilter monitor program lives
 ipmon_flags="-Ds"		# typically "-Ds" or "-D /var/log/ipflog"
+ipfs_enable="NO"		# Set to YES to enable saving and restoring 
+				# of state tables at shutdown and boot
+ipfs_program="/sbin/ipfs"	# where the ipfs program lives
+ipfs_flags=""			# additional flags for ipfs
 tcp_extensions="YES"		# Set to NO to turn off RFC1323 extensions.
 log_in_vain="NO"		# YES to log connects to ports w/o listeners.
 tcp_keepalive="YES"		# Enable stale TCP connection timeout (or NO).
--- a/etc/rc.shutdown
+++ b/etc/rc.shutdown
@ -124,18 +124,18 @@ case ${local_startup} in
 	;;
 esac

-# Save IP Filter state tables
+# Insert other shutdown procedures here

+# Saving firewall state tables should be done last
+echo -n 'Saving firewall state tables:'
+
+# Save IP-filter state tables
 case ${ipfs_enable} in
 [Yy][Ee][Ss])
-	echo -n 'Saving IP Filter state tables:'
-	eval ${ipfs_program:-/sbin/ipfs -W} ${ipfs_flags}
+	echo -n ' ipfs'
+	${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags}
 	;;
 esac

-echo .
-
-# Insert other shutdown procedures here
-
 echo '.'
 exit 0
--- a/share/man/man5/rc.conf.5
+++ b/share/man/man5/rc.conf.5
@ -278,7 +278,7 @@ or
 flag is automatically added with the above
 .Va natd_interface
 as an argument.
-.\" ----- ipfilter_enable seting --------------------------------
+.\" ----- ipfilter_enable setting --------------------------------
 .It Va ipfilter_enable
 .Pq Vt bool
 Set to
@ -289,62 +289,37 @@ Setting this to
 enables
 .Xr ipf 8
 packet filtering.
-Strictly speaking almost any filter could be established
-"abusing" this setting and the fact that
-.Va ipfilter_program ,
-.Va ipfilter_rules
-and
-.Va ipfilter_flags
-are concatenated to form a command,
-as long as the file specified in
-.Va ipfilter_rules
-is readable.
-When
-.Va ipfilter_enable
-and
-.Va ipnat_enable
-are set to
-.Dq YES
-and the file specified in
-.Va ipnat_rules
-is readable,
-.Va ipnat_program ,
-.Va ipnat_rules
-and
-.Va ipnat_flags
-make up a command line to start a network address translation program.
-When
-.Va ipfilter_enable
-and
-.Va ipmon_enable
-are set to
-.Dq YES ,
-.Va ipmon_program
-and
-.Va ipmon_flags
-form another command line for monitoring the above actions.
-See
-.Pa /etc/rc.network
-for details.
 .Pp
 Typical usage will require putting
 .Bd -literal
 ipfilter_enable="YES"
-ipfilter_flags=""
 ipnat_enable="YES"
 ipmon_enable="YES"
+ipfs_enable="YES"
 .Ed
 .Pp
 into
-.Pa /etc/rc.conf
-and editing
+.Pa /etc/rc.conf .
+Then you should edit
 .Pa /etc/ipf.rules
 and
 .Pa /etc/ipnat.rules
 appropriately.
-Turning off
-.Va firewall_enable
-when using ipf is recommended.
+.Pp
+Note that
+.Va ipfilter_enable
+and 
+.Va ipnat_enable
+can be enabled independently.
+.Va ipmon_enable
+and
+.Va ipfs_enable
+both require at least one of
+.Va ipfilter_enable
+and
+.Va ipnat_enable
+to be enabled.
+.Pp
 Having
 .Bd -literal
 options  IPFILTER
@ -356,15 +331,10 @@ in the kernel configuration file is a good idea, too.
 .\" ----- ipfilter_program setting ------------------------------
 .It Va ipfilter_program
 .Pq Vt str
-Set to
-.Dq /sbin/ipf -Fa -f
-by default.
-This variable contains a command line
-up to (but not including) the filter rule definition
-(expected to live in a separate file).
-See
-.Va ipfilter_enable
-for a detailed discussion.
+Path to
+.Xr ipf 8
+(default
+.Pa /sbin/ipf ) .
 .\" ----- ipfilter_rules setting --------------------------------
 .It Va ipfilter_rules
 .Pq Vt str
@ -372,25 +342,16 @@ Set to
 .Dq /etc/ipf.rules
 by default.
 This variable contains the name of the filter rule definition file.
-The file is expected to be readable for the filter command to execute.
-See
-.Va ipfilter_enable
-for a detailed discussion.
+The file is expected to be readable for the
+.Xr ipf 8
+command to execute.
 .\" ----- ipfilter_flags setting --------------------------------
 .It Va ipfilter_flags
 .Pq Vt str
-Set to
-.Dq -E
-by default.
-This variable contains flags appended to the filter command
-after the rule definition filename.
-The default setting will initialize an on demand loaded ipf module.
-When compiling ipfilter directly into the kernel (as is recommended)
-the variable should be empty to not initialize
-the code more than once.
-See
-.Va ipfilter_enable
-for a detailed discussion.
+Empty by default.
+This variable contains flags passed to the
+.Xr ipf 8
+program.
 .\" ----- ipnat_enable setting ----------------------------------
 .It Va ipnat_enable
 .Pq Vt bool
@ -402,24 +363,16 @@ Set it to
 to enable
 .Xr ipnat 1
 network address translation.
-Setting this variable needs setting
-.Va ipfilter_enable ,
-too.
 See
 .Va ipfilter_enable
 for a detailed discussion.
 .\" ----- ipnat_program setting ---------------------------------
 .It Va ipnat_program
 .Pq Vt str
-Set to
-.Dq /sbin/ipnat -CF -f
-by default.
-This variable contains a command line
-up to (but not including) the translation rule definition
-(expected to live in a separate file).
-See
-.Va ipfilter_enable
-for a detailed discussion.
+Path to
+.Xr ipnat 1
+(default
+.Pa /sbin/ipnat ) .
 .\" ----- ipnat_rules setting -----------------------------------
 .It Va ipnat_rules
 .Pq Vt str
@ -428,20 +381,16 @@ Set to
 by default.
 This variable contains the name of the file
 holding the network address translation definition.
-This file is expected to be readable for the NAT command to execute.
-See
-.Va ipfilter_enable
-for a detailed discussion.
+This file is expected to be readable for the
+.Xr ipnat 1
+command to execute.
 .\" ----- ipnat_flags setting -----------------------------------
 .It Va ipnat_flags
 .Pq Vt str
 Empty by default.
-This variable contains additional flags
-appended to the ipnat command line
-after the rule definition filename.
-See
-.Va ipfilter_enable
-for a detailed discussion.
+This variable contains flags passed to the
+.Xr ipnat 1
+program.
 .\" ----- ipmon_enable setting ----------------------------------
 .It Va ipmon_enable
 .Pq Vt bool
@ -458,7 +407,9 @@ and
 .Xr ipnat 1
 events).
 Setting this variable needs setting
-.Va ipfilter_enable ,
+.Va ipfilter_enable
+or
+.Va ipnat_enable
 too.
 See
 .Va ipfilter_enable
@ -466,15 +417,10 @@ for a detailed discussion.
 .\" ----- ipmon_program setting ---------------------------------
 .It Va ipmon_program
 .Pq Vt str
-Set to
-.Dq /sbin/ipmon
-by default.
-This variable contains the
+Path to
 .Xr ipmon 8
-executable filename.
-See
-.Va ipfilter_enable
-for a detailed discussion.
+(default
+.Pa /sbin/ipmon ) .
 .\" ----- ipmon_flags setting -----------------------------------
 .It Va ipmon_flags
 .Pq Vt str
@ -496,10 +442,51 @@ in such case like this:
 .Bd -literal
 /var/log/ipflog  640  10  100  *  Z  /var/run/ipmon.pid
 .Ed
-.Pp
+.\" ----- ipfs_enable setting -----------------------------------
+.It Va ipfs_enable
+.Pq Vt bool
+Set to
+.Dq NO
+by default.
+Set it to
+.Dq YES
+to enable
+.Xr ipfs 8
+saving the filter and NAT state tables during shutdown
+and reloading them during startup again.
+Setting this variable needs setting
+.Va ipfilter_enable
+or
+.Va ipnat_enable
+to
+.Dq YES
+too.
 See
 .Va ipfilter_enable
 for a detailed discussion.
+Note that if you are running with
+.Va kern_securelevel
+set to
+.Dq 3 ,
+then you cannot use
+.Va ipfs_enable
+because the raised securelevel will prevent
+.Xr ipfs 8
+from saving the state tables at shutdown time.
+.\" ----- ipfs_program setting ----------------------------------
+.It Va ipfs_program
+.Pq Vt str
+Path to
+.Xr ipfs 8
+(default
+.Pa /sbin/ipfs ) .
+.\" ----- ipfs_flags setting ------------------------------------
+.It Va ipfs_flags
+.Pq Vt str
+Empty by default.
+This variable contains flags passed to the
+.Xr ipfs 8
+program.
 .\" ----- end of added ipf hook ---------------------------------
 .It Va tcp_extensions
 .Pq Vt bool