c1bc6d5ff2
- Use a more robust check to determine if we need to load ipl.ko.
- Don't try to run ipf -E if ipfilter is already enabled. Look at
the net.inet.ipf.fr_running sysctl to figure this out. This fixes
a warning message about ipfilter being already initialized.
- Only one ipf -E command is needed. We don't need an extra one for
the -6 case which would only print a warning message about ipfilter
being already initialized.
- Fix one occurence where we were running /sbin/ipf directly without
using the ${ipfilter_program} variable if set.
- In ipfilter_stop(), don't try to save the firewall state tables if
ipfilter is disabled. Similarly, don't try to disable it if it's
already disabled. This fixes some more error messages.
179 lines
3.7 KiB
Bash
Executable File
179 lines
3.7 KiB
Bash
Executable File
#!/bin/sh
|
|
#
|
|
# $NetBSD: ipfilter,v 1.10 2001/02/28 17:03:50 lukem Exp $
|
|
# $FreeBSD$
|
|
#
|
|
|
|
# PROVIDE: ipfilter
|
|
# REQUIRE: root beforenetlkm mountcritlocal ipmon
|
|
# BEFORE: netif
|
|
# KEYWORD: FreeBSD NetBSD
|
|
|
|
. /etc/rc.subr
|
|
|
|
name="ipfilter"
|
|
rcvar=`set_rcvar`
|
|
load_rc_config $name
|
|
|
|
case ${OSTYPE} in
|
|
FreeBSD)
|
|
stop_precmd="test -f ${ipfilter_rules} -o -f ${ipv6_ipfilter_rules}"
|
|
;;
|
|
NetBSD)
|
|
stop_precmd="test -f /etc/ipf.conf -o -f /etc/ipf6.conf"
|
|
;;
|
|
esac
|
|
|
|
start_precmd="ipfilter_prestart"
|
|
start_cmd="ipfilter_start"
|
|
stop_cmd="ipfilter_stop"
|
|
reload_precmd="$stop_precmd"
|
|
reload_cmd="ipfilter_reload"
|
|
resync_precmd="$stop_precmd"
|
|
resync_cmd="ipfilter_resync"
|
|
status_precmd="$stop_precmd"
|
|
status_cmd="ipfilter_status"
|
|
extra_commands="reload resync status"
|
|
|
|
ipfilter_prestart()
|
|
{
|
|
case ${OSTYPE} in
|
|
FreeBSD)
|
|
# load ipfilter kernel module if needed
|
|
if ! kldstat -v | grep "IP Filter" > /dev/null 2>&1; then
|
|
if kldload ipl; then
|
|
info 'IP-filter module loaded.'
|
|
else
|
|
err 1 'IP-filter module failed to load.'
|
|
fi
|
|
fi
|
|
|
|
# check for ipfilter rules
|
|
if [ ! -r "${ipfilter_rules}" ] && [ ! -r "${ipv6_ipfilter_rules}" ]
|
|
then
|
|
warn 'IP-filter: NO IPF RULES'
|
|
return 1
|
|
fi
|
|
;;
|
|
NetBSD)
|
|
if [ ! -f /etc/ipf.conf ] && [ ! -f /etc/ipf6.conf ]; then
|
|
warn "/etc/ipf*.conf not readable; ipfilter start aborted."
|
|
#
|
|
# If booting directly to multiuser, send SIGTERM to
|
|
# the parent (/etc/rc) to abort the boot
|
|
#
|
|
if [ "$autoboot" = yes ]; then
|
|
echo "ERROR: ABORTING BOOT (sending SIGTERM to parent)!"
|
|
kill -TERM $$
|
|
exit 1
|
|
fi
|
|
return 1
|
|
fi
|
|
;;
|
|
esac
|
|
return 0
|
|
}
|
|
|
|
ipfilter_start()
|
|
{
|
|
echo "Enabling ipfilter."
|
|
case ${OSTYPE} in
|
|
FreeBSD)
|
|
if [ `sysctl -n net.inet.ipf.fr_running` -eq 0 ]; then
|
|
${ipfilter_program:-/sbin/ipf} -E
|
|
fi
|
|
${ipfilter_program:-/sbin/ipf} -Fa
|
|
if [ -r "${ipfilter_rules}" ]; then
|
|
${ipfilter_program:-/sbin/ipf} \
|
|
-f "${ipfilter_rules}" ${ipfilter_flags}
|
|
fi
|
|
${ipfilter_program:-/sbin/ipf} -6 -Fa
|
|
if [ -r "${ipv6_ipfilter_rules}" ]; then
|
|
${ipfilter_program:-/sbin/ipf} -6 \
|
|
-f "${ipv6_ipfilter_rules}" ${ipfilter_flags}
|
|
fi
|
|
;;
|
|
NetBSD)
|
|
/sbin/ipf -E -Fa
|
|
if [ -f /etc/ipf.conf ]; then
|
|
/sbin/ipf -f /etc/ipf.conf
|
|
fi
|
|
if [ -f /etc/ipf6.conf ]; then
|
|
/sbin/ipf -6 -f /etc/ipf6.conf
|
|
fi
|
|
;;
|
|
esac
|
|
}
|
|
|
|
ipfilter_stop()
|
|
{
|
|
# XXX - The ipf -D command is not effective for 'lkm's
|
|
if [ `sysctl -n net.inet.ipf.fr_running` -eq 1 ]; then
|
|
case ${OSTYPE} in
|
|
FreeBSD)
|
|
echo "Saving firewall state tables"
|
|
${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags}
|
|
echo "Disabling ipfilter."
|
|
${ipfilter_program:-/sbin/ipf} -D
|
|
;;
|
|
NetBSD)
|
|
echo "Disabling ipfilter."
|
|
/sbin/ipf -D
|
|
;;
|
|
esac
|
|
fi
|
|
}
|
|
|
|
ipfilter_reload()
|
|
{
|
|
echo "Reloading ipfilter rules."
|
|
|
|
case ${OSTYPE} in
|
|
FreeBSD)
|
|
${ipfilter_program:-/sbin/ipf} -I -Fa
|
|
if [ -r "${ipfilter_rules}" ]; then
|
|
${ipfilter_program:-/sbin/ipf} -I \
|
|
-f "${ipfilter_rules}" ${ipfilter_flags}
|
|
fi
|
|
${ipfilter_program:-/sbin/ipf} -I -6 -Fa
|
|
if [ -r "${ipv6_ipfilter_rules}" ]; then
|
|
${ipfilter_program:-/sbin/ipf} -I -6 \
|
|
-f "${ipv6_ipfilter_rules}" ${ipfilter_flags}
|
|
fi
|
|
${ipfilter_program:-/sbin/ipf} -s
|
|
;;
|
|
NetBSD)
|
|
/sbin/ipf -I -Fa
|
|
if [ -f /etc/ipf.conf ] && ! /sbin/ipf -I -f /etc/ipf.conf; then
|
|
err 1 "reload of ipf.conf failed; not swapping to" \
|
|
" new ruleset."
|
|
fi
|
|
if [ -f /etc/ipf6.conf ] && \
|
|
! /sbin/ipf -I -6 -f /etc/ipf6.conf; then
|
|
err 1 "reload of ipf6.conf failed; not swapping to" \
|
|
" new ruleset."
|
|
fi
|
|
/sbin/ipf -s
|
|
;;
|
|
esac
|
|
|
|
}
|
|
|
|
ipfilter_resync()
|
|
{
|
|
case ${OSTYPE} in
|
|
FreeBSD)
|
|
# Don't resync if ipfilter is not loaded
|
|
[ kldstat -v | grep "IP Filter" > /dev/null 2>&1 ] && return
|
|
;;
|
|
esac
|
|
${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags}
|
|
}
|
|
|
|
ipfilter_status()
|
|
{
|
|
${ipfilter_program:-/sbin/ipf} -V
|
|
}
|
|
|
|
run_rc_command "$1"
|