A number of fixes/enhancements for the ipfilter rc script:
- Use a more robust check to determine if we need to load ipl.ko.
- Don't try to run ipf -E if ipfilter is already enabled. Look at
the net.inet.ipf.fr_running sysctl to figure this out. This fixes
a warning message about ipfilter being already initialized.
- Only one ipf -E command is needed. We don't need an extra one for
the -6 case which would only print a warning message about ipfilter
being already initialized.
- Fix one occurence where we were running /sbin/ipf directly without
using the ${ipfilter_program} variable if set.
- In ipfilter_stop(), don't try to save the firewall state tables if
ipfilter is disabled. Similarly, don't try to disable it if it's
already disabled. This fixes some more error messages.
This commit is contained in:
mux
parent
74c6dfd454
commit
c1bc6d5ff2
@ -40,7 +40,7 @@ ipfilter_prestart()
|
||||
case ${OSTYPE} in
|
||||
FreeBSD)
|
||||
# load ipfilter kernel module if needed
|
||||
if ! sysctl net.inet.ipf.fr_pass > /dev/null 2>&1; then
|
||||
if ! kldstat -v | grep "IP Filter" > /dev/null 2>&1; then
|
||||
if kldload ipl; then
|
||||
info 'IP-filter module loaded.'
|
||||
else
|
||||
@ -79,12 +79,15 @@ ipfilter_start()
|
||||
echo "Enabling ipfilter."
|
||||
case ${OSTYPE} in
|
||||
FreeBSD)
|
||||
${ipfilter_program:-/sbin/ipf} -EFa
|
||||
if [ `sysctl -n net.inet.ipf.fr_running` -eq 0 ]; then
|
||||
${ipfilter_program:-/sbin/ipf} -E
|
||||
fi
|
||||
${ipfilter_program:-/sbin/ipf} -Fa
|
||||
if [ -r "${ipfilter_rules}" ]; then
|
||||
${ipfilter_program:-/sbin/ipf} \
|
||||
-f "${ipfilter_rules}" ${ipfilter_flags}
|
||||
fi
|
||||
${ipfilter_program:-/sbin/ipf} -6 -EFa
|
||||
${ipfilter_program:-/sbin/ipf} -6 -Fa
|
||||
if [ -r "${ipv6_ipfilter_rules}" ]; then
|
||||
${ipfilter_program:-/sbin/ipf} -6 \
|
||||
-f "${ipv6_ipfilter_rules}" ${ipfilter_flags}
|
||||
@ -104,17 +107,21 @@ ipfilter_start()
|
||||
|
||||
ipfilter_stop()
|
||||
{
|
||||
case ${OSTYPE} in
|
||||
FreeBSD)
|
||||
echo "Saving firewall state tables"
|
||||
${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags}
|
||||
;;
|
||||
NetBSD)
|
||||
;;
|
||||
esac
|
||||
# XXX - The following command is not effective for 'lkm's
|
||||
echo "Disabling ipfilter."
|
||||
/sbin/ipf -D
|
||||
# XXX - The ipf -D command is not effective for 'lkm's
|
||||
if [ `sysctl -n net.inet.ipf.fr_running` -eq 1 ]; then
|
||||
case ${OSTYPE} in
|
||||
FreeBSD)
|
||||
echo "Saving firewall state tables"
|
||||
${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags}
|
||||
echo "Disabling ipfilter."
|
||||
${ipfilter_program:-/sbin/ipf} -D
|
||||
;;
|
||||
NetBSD)
|
||||
echo "Disabling ipfilter."
|
||||
/sbin/ipf -D
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
}
|
||||
|
||||
ipfilter_reload()
|
||||
@ -157,7 +164,7 @@ ipfilter_resync()
|
||||
case ${OSTYPE} in
|
||||
FreeBSD)
|
||||
# Don't resync if ipfilter is not loaded
|
||||
[ sysctl net.inet.ipf.fr_pass > /dev/null 2>&1 ] && return
|
||||
[ kldstat -v | grep "IP Filter" > /dev/null 2>&1 ] && return
|
||||
;;
|
||||
esac
|
||||
${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user