Add rc.d script to start pflogd and add rcvars etc. Also document vars in

rc.conf(5) and put a sample entry to newsyslog.conf Reviewed by: -current Approved by: bms(mentor)
svn path=/head/; revision=127759
2004-04-02 19:25:27 +00:00 · 2004-04-02 19:25:27 +00:00 · 6cd9ebedd7 · 2020-12-20 02:59:44 +00:00
commit 6cd9ebedd7
parent 87b320bb72
6 changed files with 132 additions and 2 deletions
--- a/etc/defaults/rc.conf
+++ b/etc/defaults/rc.conf
@ -107,6 +107,10 @@ pf_enable="NO"			# Set to YES to enable packet filter (pf)
 pf_rules="/etc/pf.conf"		# rules definition file for pf
 pf_program="/sbin/pfctl"	# where the pfctl program lives
 pf_flags=""			# additional flags for pfctl
+pflog_enable="NO"		# Set to YES to enable packet filter logging
+pflog_logfile="/var/log/pflog"	# where pflogd shoule store the logfile
+pflog_program="/sbin/pflogd"	# where the pflogd program lives
+pflog_flags=""			# additional flags for pflogd
 tcp_extensions="YES"		# Set to NO to turn off RFC1323 extensions.
 log_in_vain="0"			# >=1 to log connects to ports w/o listeners.
 tcp_keepalive="YES"		# Enable stale TCP connection timeout (or NO).
--- a/etc/newsyslog.conf
+++ b/etc/newsyslog.conf
@ -36,3 +36,5 @@
 /var/log/weekly.log			640  5	   1	$W6D0 JN
 /var/log/wtmp				644  3	   *	@01T05 B
 /var/log/xferlog			600  7	   100	*     J
+# pflogd sample entry
+#/var/log/pflog				600  3	   100	*     JB    /var/run/pflogd.pid
--- a/etc/rc.d/Makefile
+++ b/etc/rc.d/Makefile
@ -25,7 +25,7 @@ FILES=	DAEMON LOGIN NETWORKING SERVERS \
 	network_ipv6 nfsclient nfsd \
 	nfslocking nfsserver nisdomain ntpd ntpdate \
 	othermta \
-	pccard pcvt pf power_profile ppp-user pppoed pwcheck \
+	pccard pcvt pf pflog power_profile ppp-user pppoed pwcheck \
 	quota \
 	random rarpd rcconf.sh resolv root \
 	route6d routed routing rpcbind rtadvd rwho \
--- a/etc/rc.d/pf
+++ b/etc/rc.d/pf
@ -4,7 +4,7 @@
 #

 # PROVIDE: pf
-# REQUIRE: root beforenetlkm mountcritlocal netif
+# REQUIRE: root beforenetlkm mountcritlocal netif pflog
 # BEFORE:  DAEMON LOGIN
 # KEYWORD: FreeBSD nojail

--- a/etc/rc.d/pflog
+++ b/etc/rc.d/pflog
@ -0,0 +1,85 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+# PROVIDE: pflog
+# REQUIRE: root beforenetlkm mountcritlocal netif
+# BEFORE:  DAEMON LOGIN
+# KEYWORD: FreeBSD nojail
+
+. /etc/rc.subr
+
+name="pflog"
+rcvar=`set_rcvar`
+load_rc_config $name
+stop_precmd="test -x ${pflog_program}"
+start_precmd="pflog_prestart"
+start_cmd="pflog_start"
+stop_cmd="pflog_stop"
+resync_precmd="$stop_precmd"
+resync_cmd="pflog_resync"
+status_precmd="$stop_precmd"
+status_cmd="pflog_status"
+extra_commands="resync status"
+
+pflog_prestart()
+{
+	# load pflog kernel module if needed
+	if ! kldstat -v | grep -q pflog\$; then
+		if kldload pflog; then
+			info 'pflog module loaded.'
+		else
+			err 1 'pflog module failed to load.'
+		fi
+	fi
+
+	# set pflog0 interface to up state
+	if ! ifconfig pflog0 up; then
+		warn 'pflog: COULD NOT SET UP pflog0'
+	fi
+
+	# check for pf rules
+	if [ ! -x "${pflog_program:-/sbin/pflogd}" ]
+	then
+		warn 'pflog: NO PFLOGD BINARY FOUND'
+		return 1
+	fi
+}
+
+pflog_start()
+{
+	echo -n "Enabling pflogd"
+	if ! ${pflog_program:-/sbin/pflogd} ${pflog_flags} \
+	    -f ${pflog_logfile:-/var/log/pflog}; then
+		echo " failed!"
+	else
+		echo "."
+	fi
+}
+
+pflog_stop()
+{
+	if [ -r /var/run/pflogd.pid ]; then
+		echo "Stopping pflogd."
+		kill `cat /var/run/pflogd.pid`
+	fi
+}
+
+pflog_resync()
+{
+	if [ -r /var/run/pflogd.pid ]; then
+		kill -SIGHUP `cat /var/run/pflogd.pid`
+	fi
+}
+
+pflog_status()
+{
+	if [ -r /var/run/pflogd.pid ]; then
+		ps -p `cat /var/run/pflogd.pid` | tail -n 1
+	else
+		echo 'pflogd not running.'
+	fi
+}
+
+run_rc_command "$1"
--- a/share/man/man5/rc.conf.5
+++ b/share/man/man5/rc.conf.5
@ -718,6 +718,44 @@ is set to
 these flags are passed to the
 .Xr pfctl 8
 program when loading the ruleset.
+.It Va pflog_enable
+.Pq Vt bool
+Set to
+.Dq Li NO
+by default.
+Setting this to
+.Dq Li YES
+enables
+.Xr pflogd 8
+which logs packtes from the
+.Xr pf 4
+packet filter.
+.It Va pflog_logfile
+.Pq Vt str
+If
+.Va pflog_enable
+is set to
+.Dq Li YES
+this controls where
+.Xr pflogd 8
+stores the logfile.
+(default
+.Pa /var/log/pflog ) .
+Check
+.Pa /etc/newsyslog.conf
+to enable logfile rotation for this.
+.It Va pflog_program
+.Pq Vt str
+Path to
+.Xr pflogd 8
+(default
+.Pa /sbin/pflogd ) .
+.It Va pflog_flags
+.Pq Vt str
+Empty by default.
+This variable contains additional flags passed to the
+.Xr pflogd 8
+program.
 .It Va tcp_extensions
 .Pq Vt bool
 Set to
@ -2910,6 +2948,7 @@ sessions.
 .Xr udp 4 ,
 .Xr exports 5 ,
 .Xr motd 5 ,
+.Xr newsyslog.conf 5 ,
 .Xr accton 8 ,
 .Xr amd 8 ,
 .Xr apm 8 ,