- Add 'check' command for checking rules syntax.

- Before flushing rules in 'reload' command, check first if rules are correct. - Do not duplicate checking if $pf_rules file exists.
svn path=/head/; revision=136942
2004-10-25 08:12:28 +00:00 · 2004-10-25 08:12:28 +00:00 · 4fda9f547d · 2020-12-20 02:59:44 +00:00
commit 4fda9f547d
parent ee1d0eb330
1 changed files with 14 additions and 11 deletions
--- a/etc/rc.d/pf
+++ b/etc/rc.d/pf
@ -17,13 +17,15 @@ stop_precmd="test -f ${pf_rules}"
 start_precmd="pf_prestart"
 start_cmd="pf_start"
 stop_cmd="pf_stop"
+check_precmd="$stop_precmd"
+check_cmd="pf_check"
 reload_precmd="$stop_precmd"
 reload_cmd="pf_reload"
 resync_precmd="$stop_precmd"
 resync_cmd="pf_resync"
 status_precmd="$stop_precmd"
 status_cmd="pf_status"
-extra_commands="reload resync status"
+extra_commands="check reload resync status"

 pf_prestart()
 {
@ -37,8 +39,7 @@ pf_prestart()
 	fi

 	# check for pf rules
-	if [ ! -r "${pf_rules}" ]
-	then
+	if [ ! -r "${pf_rules}" ]; then
 		warn 'pf: NO PF RULESET FOUND'
 		return 1
 	fi
@ -48,10 +49,7 @@ pf_start()
 {
 	echo "Enabling pf."
 	${pf_program:-/sbin/pfctl} -Fa > /dev/null 2>&1
-	if [ -r "${pf_rules}" ]; then
-		${pf_program:-/sbin/pfctl} \
-		    -f "${pf_rules}" ${pf_flags}
-	fi
+	${pf_program:-/sbin/pfctl} -f "${pf_rules}" ${pf_flags}
 	if ! ${pf_program:-/sbin/pfctl} -si | grep -q "Enabled" ; then
 		${pf_program:-/sbin/pfctl} -e
 	fi
@ -65,15 +63,20 @@ pf_stop()
 	fi
 }

+pf_check()
+{
+	echo "Checking pf rules."
+
+	${pf_program:-/sbin/pfctl} -n -f "${pf_rules}"
+}
+
 pf_reload()
 {
 	echo "Reloading pf rules."

+	${pf_program:-/sbin/pfctl} -n -f "${pf_rules}" || return 1
 	${pf_program:-/sbin/pfctl} -Fa > /dev/null 2>&1
-	if [ -r "${pf_rules}" ]; then
-		${pf_program:-/sbin/pfctl} \
-		    -f "${pf_rules}" ${pf_flags}
-	fi
+	${pf_program:-/sbin/pfctl} -f "${pf_rules}" ${pf_flags}
 }

 pf_resync()