439f89ac76
> > There is no need to explicitly add "status" to $extra_commands in > > the /etc/rc.d/pf script as it is implicitly added by /etc/rc.subr's > > run_rc_command() because of the existing $pf_program. > > > > Submitted by: Christoph Schug <chris@schug.net> ...because as yar@ points out: "[...] you were relying on evil side-effects of the variable being named *_program. hose side-effect have been eliminated since rc.subr rev. 1.42. [...] The point is that the default "status" method is for rc.d scripts that handle startup and shutdown of conventional daemons, and not for custom tasks like the pf case." The change is still valid in RELENG_6 (and still doesn't have to be backed out) as long as rc.subr:r1.42 is not MFC'ed to RELENG_6, too.
85 lines
1.4 KiB
Bash
85 lines
1.4 KiB
Bash
#!/bin/sh
|
|
#
|
|
# $FreeBSD$
|
|
#
|
|
|
|
# PROVIDE: pf
|
|
# REQUIRE: root mountcritlocal netif pflog pfsync
|
|
# BEFORE: routing
|
|
# KEYWORD: nojail
|
|
|
|
. /etc/rc.subr
|
|
|
|
name="pf"
|
|
rcvar=`set_rcvar`
|
|
load_rc_config $name
|
|
start_precmd="pf_prestart"
|
|
start_cmd="pf_start"
|
|
stop_cmd="pf_stop"
|
|
check_cmd="pf_check"
|
|
reload_cmd="pf_reload"
|
|
resync_cmd="pf_resync"
|
|
status_cmd="pf_status"
|
|
extra_commands="check reload resync status"
|
|
required_files="$pf_rules"
|
|
|
|
pf_prestart()
|
|
{
|
|
# load pf kernel module if needed
|
|
if ! kldstat -q -m pf ; then
|
|
if kldload pf ; then
|
|
info 'pf module loaded.'
|
|
else
|
|
warn 'pf module failed to load.'
|
|
return 1
|
|
fi
|
|
fi
|
|
return 0
|
|
}
|
|
|
|
pf_start()
|
|
{
|
|
echo "Enabling pf."
|
|
$pf_program -Fall > /dev/null 2>&1
|
|
$pf_program -f "$pf_rules" $pf_flags
|
|
if ! $pf_program -s info | grep -q "Enabled" ; then
|
|
$pf_program -e
|
|
fi
|
|
}
|
|
|
|
pf_stop()
|
|
{
|
|
if $pf_program -s info | grep -q "Enabled" ; then
|
|
echo "Disabling pf."
|
|
$pf_program -d
|
|
fi
|
|
}
|
|
|
|
pf_check()
|
|
{
|
|
echo "Checking pf rules."
|
|
$pf_program -n -f "$pf_rules"
|
|
}
|
|
|
|
pf_reload()
|
|
{
|
|
echo "Reloading pf rules."
|
|
$pf_program -n -f "$pf_rules" || return 1
|
|
# Flush everything but existing state entries that way when
|
|
# rules are read in, it doesn't break established connections.
|
|
$pf_program -Fnat -Fqueue -Frules -FSources -Finfo -FTables -Fosfp > /dev/null 2>&1
|
|
$pf_program -f "$pf_rules" $pf_flags
|
|
}
|
|
|
|
pf_resync()
|
|
{
|
|
$pf_program -f "$pf_rules" $pf_flags
|
|
}
|
|
|
|
pf_status()
|
|
{
|
|
$pf_program -s info
|
|
}
|
|
|
|
run_rc_command "$1"
|