freebsd-skq/etc/rc.d/ipfilter

#!/bin/sh
#
# $NetBSD: ipfilter,v 1.10 2001/02/28 17:03:50 lukem Exp $
# $FreeBSD$
#

# PROVIDE: ipfilter
# REQUIRE: root beforenetlkm mountcritlocal ipmon
# BEFORE:  netif
# KEYWORD: FreeBSD

. /etc/rc.subr

name="ipfilter"
rcvar=`set_rcvar`
load_rc_config $name
stop_precmd="test -f ${ipfilter_rules} -o -f ${ipv6_ipfilter_rules}"

start_precmd="ipfilter_prestart"
start_cmd="ipfilter_start"
stop_cmd="ipfilter_stop"
reload_precmd="$stop_precmd"
reload_cmd="ipfilter_reload"
resync_precmd="$stop_precmd"
resync_cmd="ipfilter_resync"
status_precmd="$stop_precmd"
status_cmd="ipfilter_status"
extra_commands="reload resync status"

ipfilter_prestart()
{
	# load ipfilter kernel module if needed
	if ! kldstat -v | grep "IP Filter" > /dev/null 2>&1; then
		if kldload ipl; then
			info 'IP-filter module loaded.'
		else
			err 1 'IP-filter module failed to load.'
		fi
	fi

	# check for ipfilter rules
	if [ ! -r "${ipfilter_rules}" ] && [ ! -r "${ipv6_ipfilter_rules}" ]
	then
		warn 'IP-filter: NO IPF RULES'
		return 1
	fi
	return 0
}

ipfilter_start()
{
	echo "Enabling ipfilter."
	if [ `sysctl -n net.inet.ipf.fr_running` -eq 0 ]; then
		${ipfilter_program:-/sbin/ipf} -E
	fi
	${ipfilter_program:-/sbin/ipf} -Fa
	if [ -r "${ipfilter_rules}" ]; then
		${ipfilter_program:-/sbin/ipf} \
		    -f "${ipfilter_rules}" ${ipfilter_flags}
	fi
	${ipfilter_program:-/sbin/ipf} -6 -Fa
	if [ -r "${ipv6_ipfilter_rules}" ]; then
		${ipfilter_program:-/sbin/ipf} -6 \
		    -f "${ipv6_ipfilter_rules}" ${ipfilter_flags}
	fi
}

ipfilter_stop()
{
	# XXX - The ipf -D command is not effective for 'lkm's
	if [ `sysctl -n net.inet.ipf.fr_running` -eq 1 ]; then
		echo "Saving firewall state tables"
		${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags}
		echo "Disabling ipfilter."
		${ipfilter_program:-/sbin/ipf} -D
	fi
}

ipfilter_reload()
{
	echo "Reloading ipfilter rules."

	${ipfilter_program:-/sbin/ipf} -I -Fa
	if [ -r "${ipfilter_rules}" ]; then
		${ipfilter_program:-/sbin/ipf} -I \
		    -f "${ipfilter_rules}" ${ipfilter_flags}
	fi
	${ipfilter_program:-/sbin/ipf} -I -6 -Fa
	if [ -r "${ipv6_ipfilter_rules}" ]; then
		${ipfilter_program:-/sbin/ipf} -I -6 \
		    -f "${ipv6_ipfilter_rules}" ${ipfilter_flags}
	fi
	${ipfilter_program:-/sbin/ipf} -s

}

ipfilter_resync()
{
	# Don't resync if ipfilter is not loaded
	if ! kldstat -v | grep "IP Filter" > /dev/null 2>&1; then
		 return
	fi
	${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags}
}

ipfilter_status()
{
	${ipfilter_program:-/sbin/ipf} -V
}

run_rc_command "$1"