From 1f4408f321ebba024e3d614c75e536434d5b3c00 Mon Sep 17 00:00:00 2001 From: Max Laier Date: Tue, 23 Mar 2004 22:30:15 +0000 Subject: [PATCH] Add rc.d script for pf(4) (more to come once pflogd(8) works as well). Update defaults and write some lines for rc.conf(5) also. Mostly dup'ed from ipf Reviewed by: -current Approved by: bms(mentor) --- etc/defaults/rc.conf | 4 ++ etc/rc.d/pf | 93 ++++++++++++++++++++++++++++++++++++++++ share/man/man5/rc.conf.5 | 57 ++++++++++++++++++++++++ 3 files changed, 154 insertions(+) create mode 100644 etc/rc.d/pf diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index d6b76d805c27..884f63cef784 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -98,6 +98,10 @@ ipfs_enable="NO" # Set to YES to enable saving and restoring # of state tables at shutdown and boot ipfs_program="/sbin/ipfs" # where the ipfs program lives ipfs_flags="" # additional flags for ipfs +pf_enable="NO" # Set to YES to enable packet filter (pf) +pf_rules="/etc/pf.conf" # rules definition file for pf +pf_program="/sbin/pfctl" # where the pfctl program lives +pf_flags="" # additional flags for pfctl tcp_extensions="YES" # Set to NO to turn off RFC1323 extensions. log_in_vain="0" # >=1 to log connects to ports w/o listeners. tcp_keepalive="YES" # Enable stale TCP connection timeout (or NO). diff --git a/etc/rc.d/pf b/etc/rc.d/pf new file mode 100644 index 000000000000..f8fabd0edc24 --- /dev/null +++ b/etc/rc.d/pf @@ -0,0 +1,93 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# PROVIDE: pf +# REQUIRE: root beforenetlkm mountcritlocal netif +# BEFORE: DAEMON LOGIN +# KEYWORD: FreeBSD nojail + +. /etc/rc.subr + +name="pf" +rcvar=`set_rcvar` +load_rc_config $name +stop_precmd="test -f ${pf_rules}" +start_precmd="pf_prestart" +start_cmd="pf_start" +stop_cmd="pf_stop" +reload_precmd="$stop_precmd" +reload_cmd="pf_reload" +resync_precmd="$stop_precmd" +resync_cmd="pf_resync" +status_precmd="$stop_precmd" +status_cmd="pf_status" +extra_commands="reload resync status" + +pf_prestart() +{ + # load pf kernel module if needed + if ! kldstat -v | grep -q pf\$; then + if kldload pf; then + info 'pf module loaded.' + else + err 1 'pf module failed to load.' + fi + fi + + # check for pf rules + if [ ! -r "${pf_rules}" ] + then + warn 'pf: NO PF RULESET FOUND' + return 1 + fi +} + +pf_start() +{ + echo "Enabling pf." + if ! ${pf_program:-/sbin/pfctl} -si | grep -q "Enabled" ; then + ${pf_program:-/sbin/pfctl} -e + fi + ${pf_program:-/sbin/pfctl} -Fa > /dev/null 2>&1 + if [ -r "${pf_rules}" ]; then + ${pf_program:-/sbin/pfctl} \ + -f "${pf_rules}" ${pf_flags} + fi +} + +pf_stop() +{ + if ${pf_program:-/sbin/pfctl} -si | grep -q "Enabled" ; then + echo "Disabling pf." + ${pf_program:-/sbin/pfctl} -d + fi +} + +pf_reload() +{ + echo "Reloading pf rules." + + ${pf_program:-/sbin/pfctl} -Fa > /dev/null 2>&1 + if [ -r "${pf_rules}" ]; then + ${pf_program:-/sbin/pfctl} \ + -f "${pf_rules}" ${pf_flags} + fi +} + +pf_resync() +{ + # Don't resync if pf is not loaded + if ! kldstat -v | grep -q pf\$ ; then + return + fi + ${pf_program:-/sbin/pfctl} -f "${pf_rules}" ${pf_flags} +} + +pf_status() +{ + ${pf_program:-/sbin/pfctl} -si +} + +run_rc_command "$1" diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5 index 658f1d2f5255..7f7c69563f49 100644 --- a/share/man/man5/rc.conf.5 +++ b/share/man/man5/rc.conf.5 @@ -619,6 +619,63 @@ This variable contains flags passed to the .Xr ipfs 8 program. .\" ----- end of added ipf hook --------------------------------- +.It Va pf_enable +.Pq Vt bool +Set to +.Dq Li NO +by default. +Setting this to +.Dq Li YES +enables +.Xr pf 4 +packet filtering. +.Pp +Typical usage will require putting +.Bd -literal +pf_enable="YES" +.Ed +.Pp +into +.Pa /etc/rc.conf +and editing +.Pa /etc/pf.conf +appropriately. +.Pp +Having +.Bd -literal +options PFIL_HOOKS +options RANDOM_IP_ID +.Ed +.Pp +in the kernel configuration file is required for use as a +.Xr kld 4 +module. +.Pp +.Bd -literal +device pf +.Ed +.Pp +builds it into the kernel. +.It Va pf_rules +.Pq Vt str +Path to pf ruleset configuration file +(default +.Pa /etc/pf.conf ) . +.It Va pf_program +.Pq Vt str +Path to +.Xr pfctl 8 +(default +.Pa /sbin/pfctl ) . +.It Va pf_flags +.Pq Vt str +If +.Va pf_enable +is set to +.Dq Li YES , +these flags are passed to the +.Xr pfctl 8 +program when loading the ruleset. .It Va tcp_extensions .Pq Vt bool Set to