Commit Graph

29 Commits

Author SHA1 Message Date
Jamie Gritton
761d2bb5b9 Refine the "nojail" rc keyword, adding "nojailvnet" for files that don't
apply to most jails but do apply to vnet jails.  This includes adding
a new sysctl "security.jail.vnet" to identify vnet jails.

PR:		conf/149050
Submitted by:	mdodd
MFC after:	3 days
2013-05-19 04:10:34 +00:00
Hiroki Sato
859aa11dce Load ipdivert.ko when natd_enable=YES.
PR:	conf/167566
2012-10-29 06:31:51 +00:00
Hiroki Sato
8efbd296e0 Make ipfw0 logging pseudo-interface clonable. It can be created automatically
by $firewall_logif rc.conf(5) variable at boot time or manually by ifconfig(8)
after a boot.

Discussed on:	freebsd-ipfw@
2012-07-09 07:16:19 +00:00
Ed Maste
86fdaae573 Replace ${SYSCTL_W} with ${SYSCTL} in rc.d scripts, as they are identical.
This is a further clean up after r202988.

SYSCTL_W is still initialized in rc.subr as some ports may still use it.
2011-03-30 01:19:00 +00:00
Doug Barton
2557f5bf0a Remove trailing white space. No functional changes. 2010-05-14 04:53:57 +00:00
Maksim Yevmenkin
fafa9c3c9a Introduce new rc.conf variable firewall_coscripts. It can be used to
specify list of executables and/or rc scripts that should be executed
after firewall starts/stops.

Submitted by:	Yuri Kurenkov <y dot kurenkov at init dot ru>
Reviewed by:	rhodes, rc@
MFC after:	1 week
2010-02-08 18:51:24 +00:00
Hajimu UMEMOTO
2bba0e1a00 Unify rc.firewall and rc.firewall6, and obsolete rc.firewall6
and rc.d/ip6fw.

Reviewed by:	dougb, jhb
MFC after:	1 month
2009-12-02 15:05:26 +00:00
Doug Barton
5ca51aad69 Reverse the effect of r193198 for pf and ipfw which will once again
allow them to start after netif. There were too many problems reported
with this change in the short period of time that it lived in HEAD, and
we are too late in the release cycle to properly shake it out.

IMO the issue of having the firewalls up before the network is still a
valid concern, particularly for pf whose default state is wide open.
However properly solving this issue is going to take some investment
on the part of the people who actually use those tools.

This is not a strict reversion of all the changes for r193198 since it
also included some simplification of the BEFORE/REQUIRE logic which is
still valid for ipfilter and ip6fw.
2009-06-26 01:04:50 +00:00
Doug Barton
a3f6188b53 Make the pf and ipfw firewalls start before netif, just like ipfilter
already does. This eliminates a logical inconsistency, and a small
window where the system is open after the network comes up.
2009-06-01 05:35:03 +00:00
Maksim Yevmenkin
f631c013c2 - Add ipfw_nat to the list of required modules if "firewall_nat_enable"
is set and "natd_enable" is NOT set;

- Accept and pass firewall type to the external firewall script.

Submitted by:		Yuri Kurenkov < y -dot- kurenkov -at- init -dot- ru >
MFC after:		3 days
No response from:	freebsd-rc
2009-03-30 21:31:52 +00:00
Doug Barton
2b9851690c As previously discussed, add the svn:executable property to all scripts 2008-07-16 19:22:48 +00:00
Mike Makonnen
7a711eb359 No need to display the result of enabling the ipfw sysctl if it's
successfull. Issue a warning if it fails, however.
2008-07-05 15:27:39 +00:00
Mike Makonnen
82e9dc59ce Add a dummynet_enable knob to go with firewall_enable. If this knob
is enabled dummynet(4) is added to the list of required modules.

Discussed on:	#freebsd-bugbusters (rwatson, trhodes)
PR:		conf/79196
MFC after:	1 week
2008-01-27 15:15:12 +00:00
Mike Makonnen
ae4d6ea88f Generally, anything that runs rc.d scripts internally should
start using the quiet prefix (i.e. quietstart, quietstop, etc...).
2008-01-26 14:02:19 +00:00
Mike Makonnen
1b0a8a3e52 Instead of directly sourcing the firewall script, run it in a separate shell.
If the firewall script is sourced directly from the script, then any
exit statements in it will also terminate the rc.d script prematurely.

PR: conf/78762
MFC-After: 2 weeks
2007-04-02 15:38:53 +00:00
Yaroslav Tykhiy
0c30639059 Use $required_modules wherever suitable. Use load_kld() in special
cases.  So we get rid of quite a few lines of duplicated code.
2006-12-31 10:37:18 +00:00
Yaroslav Tykhiy
e8a49a350c De-uglify messages from the ipfw script. 2006-07-25 17:28:18 +00:00
Wojciech A. Koszek
46e6cc852b Use 'ipfw list' instead of 'ipfw l', since it's deprecated (and warning is
printed on system startup).

Approved by:	cognet (mentor)
MFC after:	3 days
2006-02-26 16:45:29 +00:00
Yaroslav Tykhiy
23b50ea745 Transforming "ppp-user" into just "ppp", step 1:
The rcorder(8) condition PROVIDE'd by the script
and REQUIRE'd by the others becomes "ppp".

The ultimate goal of the transformation is to reduce
confusion resulting from the fact that $name has been
"ppp" already.

Discussed with: pjd, -rc
2005-10-28 16:07:52 +00:00
Ruslan Ermilov
3e1631ce0a Start natd(8) before loading firewall rules, to give the
ipdivert.ko module a chance to load.
2005-03-16 08:47:48 +00:00
Mike Makonnen
337338ee00 Remove the requirement for the FreeBSD keyword as it no longer
makes any sense.

Discussed with: dougb, brooks
MFC after: 3 days
2004-10-07 13:55:26 +00:00
Poul-Henning Kamp
d8337944e0 Protect som cross-script invocations by checks to see that the target
script exists.  This allows pruning of rc.d scripts without getting
too many ugly boottime error message
2004-04-28 13:20:15 +00:00
Max Khon
a3e34d6908 Add separate script for natd. This fixes race condition with "ipfw restart"
(when new natd is started before old natd died) and allows to manage natd
without touching ipfw.

natd should probably be killed with SIGKILL when stopping natd.
2004-04-05 16:29:45 +00:00
Pawel Jakub Dawidek
bd57d5b0f5 Mark scripts as not usable inside a jail by adding keyword 'nojail'.
Some suggestions from:	rwatson, Ruben de Groot <mail25@bzerk.org>
2004-03-08 12:25:05 +00:00
Martin Blapp
60613d0ae7 Add -dynamic to natd if dhcp is used for the natd interface.
Kill natd in stop().

Reviewed by:	mtm
2003-07-27 20:34:30 +00:00
Mike Makonnen
1d89dde13e Make the 'restart' command work. Otherwise, it would successfully
stop ipfw, but not enable it again.

Aesthetic changes
	o Use positve logic (instead of negative)
	o create a 'stop' function, rather than putting the
	  commands in the stop_cmd variable.

Submitted by:	des
Approved by:	markm (mentor) (implicit)
2003-03-30 15:52:18 +00:00
Mike Makonnen
dbc8124671 Finish merging in rev. 1.124 of rc.network, so that natd can be used
withough the $natd_interface having to be explicitly specified on the
command line.

Approved by: markm (mentor)
Submitted by: Aaron D. Gifford <agifford@infowest.com>
PR: conf/47024

MFC: upon re approval
2003-01-14 15:43:02 +00:00
Jens Schweikhardt
143085107b Fix style bugs:
* Space -> tabs conversion.
* Removed blanks before semicolon in "if ... ; then".
* Proper indentation of misindented lines.
* Put a full stop after some comments.
* Removed whitespace at end of line.

Approved by:	silence from gordon
2002-10-12 10:31:31 +00:00
Gordon Tetlow
27bc1b287e Merge in all the changes that Mike Makonnen has been maintaining for a
while. This is only the script pieces, the glue for the build comes next.

Submitted by:	Mike Makonnen <makonnen@pacbell.net>
Reviewed by:	silence on -current and -hackers
Prodded by:	rwatson
2002-06-13 22:14:37 +00:00