This brings support for IP Filter into rc.network and rc.conf with

the appropriate documentation added to rc.conf(5).  If all goes well
with this over the next few weeks, the PR will be closed with the
pullup of patches back to 4-STABLE.

PR:		20202
Submitted by:	Gerhard Sittig <Gerhard.Sittig@gmx.net>
Reviewed by:	Darren Reed <darrenr@freebsd.org>
Approved by:	Darren Reed <darrenr@freebsd.org>
Obtained from:	Gerhard Sittig <Gerhard.Sittig@gmx.net>

1 files changed, 31 insertions, 0 deletions

diff --git a/etc/rc.d/network1 b/etc/rc.d/network1
index 8e97b44..4c9d621 100644
--- a/etc/rc.d/network1
+++ b/etc/rc.d/network1
@@ -32,6 +32,37 @@ network_pass1() {
 		echo -n ' hostname'
 	fi
 
+	# Establish ipfilter ruleset as early as possible (best in
+	# addition to IPFILTER_DEFAULT_BLOCK in the kernel config file)
+	#
+	case "${ipfilter_enable}" in
+	[Yy][Ee][Ss])
+		if [ -r "${ipfilter_rules}" ]; then
+			echo -n ' ipfilter';
+			${ipfilter_program:-ipf -Fa -f} "${ipfilter_rules}" ${ipfilter_flags}
+			case "${ipmon_enable}" in
+			[Yy][Ee][Ss])
+				echo -n ' ipmon'
+				${ipmon_program:-ipmon} ${ipmon_flags}
+				;;
+			esac
+			case "${ipnat_enable}" in
+			[Yy][Ee][Ss])
+				if [ -r "${ipnat_rules}" ]; then
+					echo -n ' ipnat';
+					${ipnat_program:-ipnat -CF -f} "${ipnat_rules}" ${ipnat_flags}
+				else
+					echo -n ' NO IPNAT RULES'
+				fi
+				;;
+			esac
+		else
+			ipfilter_enable="NO"
+			echo -n ' NO IPF RULES'
+		fi
+		;;
+	esac
+
 	# Set the domainname if we're using NIS
 	#
 	case ${nisdomainname} in