diff options
| author | mux <mux@FreeBSD.org> | 2003-09-27 13:50:47 +0000 |
|---|---|---|
| committer | mux <mux@FreeBSD.org> | 2003-09-27 13:50:47 +0000 |
| commit | c1bc6d5ff2aff59291a31bebffdb96be391e0012 (patch) | |
| tree | 2f051a22a58c633eb7274fdd21fd3a140e8073fd | |
| parent | 74c6dfd454b675b7406058908d5bdcdcaa40be38 (diff) | |
| download | FreeBSD-src-c1bc6d5ff2aff59291a31bebffdb96be391e0012.zip FreeBSD-src-c1bc6d5ff2aff59291a31bebffdb96be391e0012.tar.gz | |
A number of fixes/enhancements for the ipfilter rc script:
- Use a more robust check to determine if we need to load ipl.ko.
- Don't try to run ipf -E if ipfilter is already enabled. Look at
the net.inet.ipf.fr_running sysctl to figure this out. This fixes
a warning message about ipfilter being already initialized.
- Only one ipf -E command is needed. We don't need an extra one for
the -6 case which would only print a warning message about ipfilter
being already initialized.
- Fix one occurence where we were running /sbin/ipf directly without
using the ${ipfilter_program} variable if set.
- In ipfilter_stop(), don't try to save the firewall state tables if
ipfilter is disabled. Similarly, don't try to disable it if it's
already disabled. This fixes some more error messages.
| -rwxr-xr-x | etc/rc.d/ipfilter | 37 |
1 files changed, 22 insertions, 15 deletions
diff --git a/etc/rc.d/ipfilter b/etc/rc.d/ipfilter index 021f331..f6dab79 100755 --- a/etc/rc.d/ipfilter +++ b/etc/rc.d/ipfilter @@ -40,7 +40,7 @@ ipfilter_prestart() case ${OSTYPE} in FreeBSD) # load ipfilter kernel module if needed - if ! sysctl net.inet.ipf.fr_pass > /dev/null 2>&1; then + if ! kldstat -v | grep "IP Filter" > /dev/null 2>&1; then if kldload ipl; then info 'IP-filter module loaded.' else @@ -79,12 +79,15 @@ ipfilter_start() echo "Enabling ipfilter." case ${OSTYPE} in FreeBSD) - ${ipfilter_program:-/sbin/ipf} -EFa + if [ `sysctl -n net.inet.ipf.fr_running` -eq 0 ]; then + ${ipfilter_program:-/sbin/ipf} -E + fi + ${ipfilter_program:-/sbin/ipf} -Fa if [ -r "${ipfilter_rules}" ]; then ${ipfilter_program:-/sbin/ipf} \ -f "${ipfilter_rules}" ${ipfilter_flags} fi - ${ipfilter_program:-/sbin/ipf} -6 -EFa + ${ipfilter_program:-/sbin/ipf} -6 -Fa if [ -r "${ipv6_ipfilter_rules}" ]; then ${ipfilter_program:-/sbin/ipf} -6 \ -f "${ipv6_ipfilter_rules}" ${ipfilter_flags} @@ -104,17 +107,21 @@ ipfilter_start() ipfilter_stop() { - case ${OSTYPE} in - FreeBSD) - echo "Saving firewall state tables" - ${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags} - ;; - NetBSD) - ;; - esac - # XXX - The following command is not effective for 'lkm's - echo "Disabling ipfilter." - /sbin/ipf -D + # XXX - The ipf -D command is not effective for 'lkm's + if [ `sysctl -n net.inet.ipf.fr_running` -eq 1 ]; then + case ${OSTYPE} in + FreeBSD) + echo "Saving firewall state tables" + ${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags} + echo "Disabling ipfilter." + ${ipfilter_program:-/sbin/ipf} -D + ;; + NetBSD) + echo "Disabling ipfilter." + /sbin/ipf -D + ;; + esac + fi } ipfilter_reload() @@ -157,7 +164,7 @@ ipfilter_resync() case ${OSTYPE} in FreeBSD) # Don't resync if ipfilter is not loaded - [ sysctl net.inet.ipf.fr_pass > /dev/null 2>&1 ] && return + [ kldstat -v | grep "IP Filter" > /dev/null 2>&1 ] && return ;; esac ${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} |
