Add rc.d script for pf(4) (more to come once pflogd(8) works as well).

Update defaults and write some lines for rc.conf(5) also.
Mostly dup'ed from ipf

Reviewed by:	-current
Approved by:	bms(mentor)

3 files changed, 154 insertions, 0 deletions

diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf
index d6b76d8..884f63c 100644
--- a/etc/defaults/rc.conf
+++ b/etc/defaults/rc.conf
@@ -98,6 +98,10 @@ ipfs_enable="NO"		# Set to YES to enable saving and restoring
 				# of state tables at shutdown and boot
 ipfs_program="/sbin/ipfs"	# where the ipfs program lives
 ipfs_flags=""			# additional flags for ipfs
+pf_enable="NO"			# Set to YES to enable packet filter (pf)
+pf_rules="/etc/pf.conf"		# rules definition file for pf
+pf_program="/sbin/pfctl"	# where the pfctl program lives
+pf_flags=""			# additional flags for pfctl
 tcp_extensions="YES"		# Set to NO to turn off RFC1323 extensions.
 log_in_vain="0"			# >=1 to log connects to ports w/o listeners.
 tcp_keepalive="YES"		# Enable stale TCP connection timeout (or NO).
diff --git a/etc/rc.d/pf b/etc/rc.d/pf
new file mode 100644
index 0000000..f8fabd0
--- /dev/null
+++ b/etc/rc.d/pf
@@ -0,0 +1,93 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+# PROVIDE: pf
+# REQUIRE: root beforenetlkm mountcritlocal netif
+# BEFORE:  DAEMON LOGIN
+# KEYWORD: FreeBSD nojail
+
+. /etc/rc.subr
+
+name="pf"
+rcvar=`set_rcvar`
+load_rc_config $name
+stop_precmd="test -f ${pf_rules}"
+start_precmd="pf_prestart"
+start_cmd="pf_start"
+stop_cmd="pf_stop"
+reload_precmd="$stop_precmd"
+reload_cmd="pf_reload"
+resync_precmd="$stop_precmd"
+resync_cmd="pf_resync"
+status_precmd="$stop_precmd"
+status_cmd="pf_status"
+extra_commands="reload resync status"
+
+pf_prestart()
+{
+	# load pf kernel module if needed
+	if ! kldstat -v | grep -q pf\$; then
+		if kldload pf; then
+			info 'pf module loaded.'
+		else
+			err 1 'pf module failed to load.'
+		fi
+	fi
+
+	# check for pf rules
+	if [ ! -r "${pf_rules}" ]
+	then
+		warn 'pf: NO PF RULESET FOUND'
+		return 1
+	fi
+}
+
+pf_start()
+{
+	echo "Enabling pf."
+	if ! ${pf_program:-/sbin/pfctl} -si | grep -q "Enabled" ; then
+		${pf_program:-/sbin/pfctl} -e
+	fi
+	${pf_program:-/sbin/pfctl} -Fa > /dev/null 2>&1
+	if [ -r "${pf_rules}" ]; then
+		${pf_program:-/sbin/pfctl} \
+		    -f "${pf_rules}" ${pf_flags}
+	fi
+}
+
+pf_stop()
+{
+	if ${pf_program:-/sbin/pfctl} -si | grep -q "Enabled" ; then
+		echo "Disabling pf."
+		${pf_program:-/sbin/pfctl} -d
+	fi
+}
+
+pf_reload()
+{
+	echo "Reloading pf rules."
+
+	${pf_program:-/sbin/pfctl} -Fa > /dev/null 2>&1
+	if [ -r "${pf_rules}" ]; then
+		${pf_program:-/sbin/pfctl} \
+		    -f "${pf_rules}" ${pf_flags}
+	fi
+}
+
+pf_resync()
+{
+	# Don't resync if pf is not loaded
+	if ! kldstat -v | grep -q pf\$ ; then
+		 return
+	fi
+	${pf_program:-/sbin/pfctl} -f "${pf_rules}" ${pf_flags}
+}
+
+pf_status()
+{
+	${pf_program:-/sbin/pfctl} -si
+}
+
+run_rc_command "$1"
diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5
index 658f1d2..7f7c695 100644
--- a/share/man/man5/rc.conf.5
+++ b/share/man/man5/rc.conf.5
@@ -619,6 +619,63 @@ This variable contains flags passed to the
 .Xr ipfs 8
 program.
 .\" ----- end of added ipf hook ---------------------------------
+.It Va pf_enable
+.Pq Vt bool
+Set to
+.Dq Li NO
+by default.
+Setting this to
+.Dq Li YES
+enables
+.Xr pf 4
+packet filtering.
+.Pp
+Typical usage will require putting
+.Bd -literal
+pf_enable="YES"
+.Ed
+.Pp
+into
+.Pa /etc/rc.conf
+and editing
+.Pa /etc/pf.conf
+appropriately.
+.Pp
+Having
+.Bd -literal
+options PFIL_HOOKS
+options RANDOM_IP_ID
+.Ed
+.Pp
+in the kernel configuration file is required for use as a
+.Xr kld 4
+module.
+.Pp
+.Bd -literal
+device pf
+.Ed
+.Pp
+builds it into the kernel.
+.It Va pf_rules
+.Pq Vt str
+Path to pf ruleset configuration file
+(default
+.Pa /etc/pf.conf ) .
+.It Va pf_program
+.Pq Vt str
+Path to
+.Xr pfctl 8
+(default
+.Pa /sbin/pfctl ) .
+.It Va pf_flags
+.Pq Vt str
+If
+.Va pf_enable
+is set to
+.Dq Li YES ,
+these flags are passed to the
+.Xr pfctl 8
+program when loading the ruleset.
 .It Va tcp_extensions
 .Pq Vt bool
 Set to