Introduce new rc.conf variable firewall_coscripts. It can be used to

specify list of executables and/or rc scripts that should be executed after firewall starts/stops. Submitted by: Yuri Kurenkov <y dot kurenkov at init dot ru> Reviewed by: rhodes, rc@ MFC after: 1 week
2010-02-08 18:51:24 +00:00 · 2010-02-08 18:51:24 +00:00 · bde3e9d61d
commit bde3e9d61d
parent 3c2fa0128f
3 changed files with 32 additions and 6 deletions
--- a/etc/defaults/rc.conf
+++ b/etc/defaults/rc.conf
@ -118,6 +118,8 @@ firewall_type="UNKNOWN"		# Firewall type (see /etc/rc.firewall)
 firewall_quiet="NO"		# Set to YES to suppress rule display
 firewall_logging="NO"		# Set to YES to enable events logging
 firewall_flags=""		# Flags passed to ipfw when type is a file
+firewall_coscripts=""		# List of executables/scripts to run after
+				# firewall starts/stops
 firewall_client_net="192.0.2.0/24" # IPv4 Network address for "client"
 				# firewall.
 #firewall_client_net_ipv6="2001:db8:2:1::/64" # IPv6 network prefix for
--- a/etc/rc.d/ipfw
+++ b/etc/rc.d/ipfw
@ -14,6 +14,7 @@ name="ipfw"
 rcvar="firewall_enable"
 start_cmd="ipfw_start"
 start_precmd="ipfw_prestart"
+start_postcmd="ipfw_poststart"
 stop_cmd="ipfw_stop"
 required_modules="ipfw"

@ -42,9 +43,6 @@ ipfw_start()
 	[ -z "${firewall_script}" ] && firewall_script=/etc/rc.firewall

 	if [ -r "${firewall_script}" ]; then
-		if [ -f /etc/rc.d/natd ] ; then
-			/etc/rc.d/natd quietstart
-		fi
 		/bin/sh "${firewall_script}" "${_firewall_type}"
 		echo 'Firewall rules loaded.'
 	elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then
@ -59,6 +57,19 @@ ipfw_start()
 		echo 'Firewall logging enabled.'
 		sysctl net.inet.ip.fw.verbose=1 >/dev/null
 	fi
+}
+
+ipfw_poststart()
+{
+	local	_coscript
+
+	# Start firewall coscripts
+	#
+	for _coscript in ${firewall_coscripts} ; do
+		if [ -f "${_coscript}" ]; then
+			${_coscript} quietstart
+		fi
+	done

 	# Enable the firewall
 	#
@ -75,16 +86,25 @@ ipfw_start()

 ipfw_stop()
 {
+	local	_coscript
+
 	# Disable the firewall
 	#
 	${SYSCTL_W} net.inet.ip.fw.enable=0
 	if afexists inet6; then
 		${SYSCTL_W} net.inet6.ip6.fw.enable=0
 	fi
-	if [ -f /etc/rc.d/natd ] ; then
-		/etc/rc.d/natd quietstop
-	fi
+
+	# Stop firewall coscripts
+	#
+	for _coscript in `reverse_list ${firewall_coscripts}` ; do
+		if [ -f "${_coscript}" ]; then
+			${_coscript} quietstop
+		fi
+	done
 }

 load_rc_config $name
+firewall_coscripts="/etc/rc.d/natd ${firewall_coscripts}"
+
 run_rc_command $*
--- a/share/man/man5/rc.conf.5
+++ b/share/man/man5/rc.conf.5
@ -507,6 +507,10 @@ specifies a filename.
 .Pq Vt str
 The IPv6 equivalent of
 .Va firewall_flags .
+.It Va firewall_coscripts
+.Pq Vt str
+List of executables and/or rc scripts to run after firewall starts/stops.
+Default is empty.
 .\" ----- firewall_nat_enable setting --------------------------------
 .It Va firewall_nat_enable
 .Pq Vt bool