b5f6d74386
for kldstat to ever print "IP Filter" (the module is called "ipfilter" and modules don't have anything like a description), so this function would always return false. That would cause prestart to attempt to load the module even if it's already loaded, which would fail and prevent the rules from being loaded. Approved by: re (dwhite)
121 lines
2.5 KiB
Bash
Executable File
121 lines
2.5 KiB
Bash
Executable File
#!/bin/sh
|
|
#
|
|
# $NetBSD: ipfilter,v 1.10 2001/02/28 17:03:50 lukem Exp $
|
|
# $FreeBSD$
|
|
#
|
|
|
|
# PROVIDE: ipfilter
|
|
# REQUIRE: root mountcritlocal
|
|
# BEFORE: netif
|
|
# KEYWORD: nojail
|
|
|
|
. /etc/rc.subr
|
|
|
|
name="ipfilter"
|
|
rcvar=`set_rcvar`
|
|
load_rc_config $name
|
|
stop_precmd="test -f ${ipfilter_rules} -o -f ${ipv6_ipfilter_rules}"
|
|
|
|
start_precmd="ipfilter_prestart"
|
|
start_cmd="ipfilter_start"
|
|
stop_cmd="ipfilter_stop"
|
|
reload_precmd="$stop_precmd"
|
|
reload_cmd="ipfilter_reload"
|
|
resync_precmd="$stop_precmd"
|
|
resync_cmd="ipfilter_resync"
|
|
status_precmd="$stop_precmd"
|
|
status_cmd="ipfilter_status"
|
|
extra_commands="reload resync status"
|
|
|
|
ipfilter_loaded()
|
|
{
|
|
if ! kldstat -v | grep "ipfilter$" > /dev/null 2>&1; then
|
|
return 1
|
|
else
|
|
return 0
|
|
fi
|
|
}
|
|
|
|
ipfilter_prestart()
|
|
{
|
|
# load ipfilter kernel module if needed
|
|
if ! ipfilter_loaded; then
|
|
if kldload ipl; then
|
|
info 'IP-filter module loaded.'
|
|
else
|
|
err 1 'IP-filter module failed to load.'
|
|
fi
|
|
fi
|
|
|
|
# check for ipfilter rules
|
|
if [ ! -r "${ipfilter_rules}" ] && [ ! -r "${ipv6_ipfilter_rules}" ]
|
|
then
|
|
warn 'IP-filter: NO IPF RULES'
|
|
return 1
|
|
fi
|
|
return 0
|
|
}
|
|
|
|
ipfilter_start()
|
|
{
|
|
echo "Enabling ipfilter."
|
|
if [ `sysctl -n net.inet.ipf.fr_running` -eq 0 ]; then
|
|
${ipfilter_program:-/sbin/ipf} -E
|
|
fi
|
|
${ipfilter_program:-/sbin/ipf} -Fa
|
|
if [ -r "${ipfilter_rules}" ]; then
|
|
${ipfilter_program:-/sbin/ipf} \
|
|
-f "${ipfilter_rules}" ${ipfilter_flags}
|
|
fi
|
|
${ipfilter_program:-/sbin/ipf} -6 -Fa
|
|
if [ -r "${ipv6_ipfilter_rules}" ]; then
|
|
${ipfilter_program:-/sbin/ipf} -6 \
|
|
-f "${ipv6_ipfilter_rules}" ${ipfilter_flags}
|
|
fi
|
|
}
|
|
|
|
ipfilter_stop()
|
|
{
|
|
# XXX - The ipf -D command is not effective for 'lkm's
|
|
if [ `sysctl -n net.inet.ipf.fr_running` -eq 1 ]; then
|
|
echo "Saving firewall state tables"
|
|
${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags}
|
|
echo "Disabling ipfilter."
|
|
${ipfilter_program:-/sbin/ipf} -D
|
|
fi
|
|
}
|
|
|
|
ipfilter_reload()
|
|
{
|
|
echo "Reloading ipfilter rules."
|
|
|
|
${ipfilter_program:-/sbin/ipf} -I -Fa
|
|
if [ -r "${ipfilter_rules}" ]; then
|
|
${ipfilter_program:-/sbin/ipf} -I \
|
|
-f "${ipfilter_rules}" ${ipfilter_flags}
|
|
fi
|
|
${ipfilter_program:-/sbin/ipf} -I -6 -Fa
|
|
if [ -r "${ipv6_ipfilter_rules}" ]; then
|
|
${ipfilter_program:-/sbin/ipf} -I -6 \
|
|
-f "${ipv6_ipfilter_rules}" ${ipfilter_flags}
|
|
fi
|
|
${ipfilter_program:-/sbin/ipf} -s
|
|
|
|
}
|
|
|
|
ipfilter_resync()
|
|
{
|
|
# Don't resync if ipfilter is not loaded
|
|
if ! ipfilter_loaded; then
|
|
return
|
|
fi
|
|
${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags}
|
|
}
|
|
|
|
ipfilter_status()
|
|
{
|
|
${ipfilter_program:-/sbin/ipf} -V
|
|
}
|
|
|
|
run_rc_command "$1"
|