Merge in all the changes that Mike Makonnen has been maintaining for a

while. This is only the script pieces, the glue for the build comes next.

Submitted by:	Mike Makonnen <makonnen@pacbell.net>
Reviewed by:	silence on -current and -hackers
Prodded by:	rwatson

1 files changed, 95 insertions, 21 deletions

diff --git a/etc/rc.d/ipfilter b/etc/rc.d/ipfilter
index a2d0c20..2962551 100755
--- a/etc/rc.d/ipfilter
+++ b/etc/rc.d/ipfilter
@@ -1,27 +1,60 @@
 #!/bin/sh
 #
-# $NetBSD: ipfilter,v 1.8 2000/10/01 05:58:06 lukem Exp $
+# $NetBSD: ipfilter,v 1.10 2001/02/28 17:03:50 lukem Exp $
+# $FreeBSD$
 #
 
 # PROVIDE: ipfilter
 # REQUIRE: root beforenetlkm mountcritlocal tty
+# KEYWORD: FreeBSD NetBSD
 
 . /etc/rc.subr
 
 name="ipfilter"
-rcvar=$name
+rcvar=`set_rcvar`
+load_rc_config $name
+
+case `${CMD_OSTYPE}` in
+FreeBSD)
+	stop_precmd="test -f ${ipfilter_rules}"
+	;;
+NetBSD)
+	stop_precmd="test -f /etc/ipf.conf -o -f /etc/ipf6.conf"
+	;;
+esac
+
 start_precmd="ipfilter_prestart"
 start_cmd="ipfilter_start"
-stop_precmd="test -f /etc/ipf.conf -o -f /etc/ipf6.conf"
 stop_cmd="ipfilter_stop"
 reload_precmd="$stop_precmd"
 reload_cmd="ipfilter_reload"
+resync_precmd="$stop_precmd"
+resync_cmd="ipfilter_resync"
 status_precmd="$stop_precmd"
 status_cmd="ipfilter_status"
-extra_commands="reload status"
+extra_commands="reload resync status"
 
 ipfilter_prestart()
 {
+case `${CMD_OSTYPE}` in
+FreeBSD)
+	# load ipfilter kernel module if needed
+	if ! sysctl net.inet.ipf.fr_pass > /dev/null 2>&1; then
+		if kldload ipl ; then
+			echo 'IP-filter module loaded.'
+		else
+			warn 'IP-filter module failed to load.'
+			return 1
+		fi
+	fi
+
+	# check for ipfilter rules
+	if [ ! -r "${ipfilter_rules}" ]; then
+		warn 'IP-filter: NO IPF RULES'
+		return 1
+	fi
+	;;
+NetBSD)
 	if [ ! -f /etc/ipf.conf ] && [ ! -f /etc/ipf6.conf ]; then
 		warn "/etc/ipf*.conf not readable; ipfilter start aborted."
 			#
@@ -35,23 +68,42 @@ ipfilter_prestart()
 		fi
 		return 1
 	fi
+	;;
+esac
 	return 0
 }
 
 ipfilter_start()
 {
 	echo "Enabling ipfilter."
-	/sbin/ipf -E -Fa
-	if [ -f /etc/ipf.conf ]; then
-		/sbin/ipf -f /etc/ipf.conf
-	fi
-	if [ -f /etc/ipf6.conf ]; then
-		/sbin/ipf -6 -f /etc/ipf6.conf
-	fi
+	case `${CMD_OSTYPE}` in
+	FreeBSD)
+		${ipfilter_program:-/sbin/ipf} -Fa -f \
+	    	    "${ipfilter_rules}" ${ipfilter_flags}
+		;;
+	NetBSD)
+		/sbin/ipf -E -Fa
+		if [ -f /etc/ipf.conf ]; then
+			/sbin/ipf -f /etc/ipf.conf
+		fi
+		if [ -f /etc/ipf6.conf ]; then
+			/sbin/ipf -6 -f /etc/ipf6.conf
+		fi
+		;;
+	esac
 }
 
 ipfilter_stop()
 {
+	case `${CMD_OSTYPE}` in
+	FreeBSD)
+		echo "Saving firewall state tables"
+		${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags}
+		;;
+	NetBSD)
+		;;
+	esac
+	# XXX - The following command is not effective for 'lkm's
 	echo "Disabling ipfilter."
 	/sbin/ipf -D
 }
@@ -60,20 +112,42 @@ ipfilter_reload()
 {
 	echo "Reloading ipfilter rules."
 
-	/sbin/ipf -I -Fa
-	if [ -f /etc/ipf.conf ] && ! /sbin/ipf -I -f /etc/ipf.conf; then
-		err 1 "reload of ipf.conf failed; not swapping to new ruleset."
-	fi
-	if [ -f /etc/ipf6.conf ] && ! /sbin/ipf -I -6 -f /etc/ipf6.conf; then
-		err 1 "reload of ipf6.conf failed; not swapping to new ruleset."
-	fi
-	/sbin/ipf -s
+	case `${CMD_OSTYPE}` in
+	FreeBSD)
+		${ipfilter_program:-/sbin/ipf} -I -Fa -f \
+	    	    "${ipfilter_rules}" ${ipfilter_flags}
+		;;
+	NetBSD)
+		/sbin/ipf -I -Fa
+		if [ -f /etc/ipf.conf ] && ! /sbin/ipf -I -f /etc/ipf.conf; then
+			err 1 "reload of ipf.conf failed; not swapping to" \
+			    " new ruleset."
+		fi
+		if [ -f /etc/ipf6.conf ] && \
+		    ! /sbin/ipf -I -6 -f /etc/ipf6.conf; then
+			err 1 "reload of ipf6.conf failed; not swapping to" \
+			    " new ruleset."
+		fi
+		/sbin/ipf -s
+		;;
+	esac
+
+}
+
+ipfilter_resync()
+{
+	case `${CMD_OSTYPE}` in
+	FreeBSD)
+		# Don't resync if ipfilter is not loaded
+		[ sysctl net.inet.ipf.fr_pass > /dev/null 2>&1 ] && return
+		;;
+	esac
+	${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags}
 }
 
 ipfilter_status()
 {
-	/sbin/ipf -V
+	${ipfilter_program:-/sbin/ipf} -V
 }
 
-load_rc_config $name
 run_rc_command "$1"