dougb afb1ba786c Reverse the effect of r193198 for pf and ipfw which will once again
allow them to start after netif. There were too many problems reported
with this change in the short period of time that it lived in HEAD, and
we are too late in the release cycle to properly shake it out.

IMO the issue of having the firewalls up before the network is still a
valid concern, particularly for pf whose default state is wide open.
However properly solving this issue is going to take some investment
on the part of the people who actually use those tools.

This is not a strict reversion of all the changes for r193198 since it
also included some simplification of the BEFORE/REQUIRE logic which is
still valid for ipfilter and ip6fw.
2009-06-26 01:04:50 +00:00

56 lines
926 B
Bash
Executable File

#!/bin/sh
#
# $FreeBSD$
#
# PROVIDE: pfsync
# REQUIRE: FILESYSTEMS netif
# KEYWORD: nojail
. /etc/rc.subr
name="pfsync"
rcvar=`set_rcvar`
start_precmd="pfsync_prestart"
start_cmd="pfsync_start"
stop_cmd="pfsync_stop"
required_modules="pf"
pfsync_prestart()
{
# XXX Currently pfsync cannot be a module as it must register
# a network protocol in a static kernel table.
if ! kldstat -q -m pfsync; then
warn "pfsync(4) must be statically compiled in the kernel."
return 1
fi
case "$pfsync_syncdev" in
'')
warn "pfsync_syncdev is not set."
return 1
;;
esac
return 0
}
pfsync_start()
{
local _syncpeer
echo "Enabling pfsync."
if [ -n "${pfsync_syncpeer}" ]; then
_syncpeer="syncpeer ${pfsync_syncpeer}"
fi
ifconfig pfsync0 $_syncpeer syncdev $pfsync_syncdev $pfsync_ifconfig up
}
pfsync_stop()
{
echo "Disabling pfsync."
ifconfig pfsync0 -syncdev down
}
load_rc_config $name
run_rc_command "$1"