diff options
| author | emax <emax@FreeBSD.org> | 2010-02-08 18:51:24 +0000 |
|---|---|---|
| committer | emax <emax@FreeBSD.org> | 2010-02-08 18:51:24 +0000 |
| commit | bde3e9d61d9ea3d2559c24068294419b902cf4fd (patch) | |
| tree | eb1a6a7c73381c281264f3825ec31c011b7f4329 /etc | |
| parent | 3c2fa0128f9b6a21684a8cbc5a33d090e09b6e4e (diff) | |
| download | FreeBSD-src-bde3e9d61d9ea3d2559c24068294419b902cf4fd.zip FreeBSD-src-bde3e9d61d9ea3d2559c24068294419b902cf4fd.tar.gz | |
Introduce new rc.conf variable firewall_coscripts. It can be used to
specify list of executables and/or rc scripts that should be executed
after firewall starts/stops.
Submitted by: Yuri Kurenkov <y dot kurenkov at init dot ru>
Reviewed by: rhodes, rc@
MFC after: 1 week
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/defaults/rc.conf | 2 | ||||
| -rwxr-xr-x | etc/rc.d/ipfw | 32 |
2 files changed, 28 insertions, 6 deletions
diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index cae0d51..7d0a7d2 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -118,6 +118,8 @@ firewall_type="UNKNOWN" # Firewall type (see /etc/rc.firewall) firewall_quiet="NO" # Set to YES to suppress rule display firewall_logging="NO" # Set to YES to enable events logging firewall_flags="" # Flags passed to ipfw when type is a file +firewall_coscripts="" # List of executables/scripts to run after + # firewall starts/stops firewall_client_net="192.0.2.0/24" # IPv4 Network address for "client" # firewall. #firewall_client_net_ipv6="2001:db8:2:1::/64" # IPv6 network prefix for diff --git a/etc/rc.d/ipfw b/etc/rc.d/ipfw index dd7ab55..689905d 100755 --- a/etc/rc.d/ipfw +++ b/etc/rc.d/ipfw @@ -14,6 +14,7 @@ name="ipfw" rcvar="firewall_enable" start_cmd="ipfw_start" start_precmd="ipfw_prestart" +start_postcmd="ipfw_poststart" stop_cmd="ipfw_stop" required_modules="ipfw" @@ -42,9 +43,6 @@ ipfw_start() [ -z "${firewall_script}" ] && firewall_script=/etc/rc.firewall if [ -r "${firewall_script}" ]; then - if [ -f /etc/rc.d/natd ] ; then - /etc/rc.d/natd quietstart - fi /bin/sh "${firewall_script}" "${_firewall_type}" echo 'Firewall rules loaded.' elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then @@ -59,6 +57,19 @@ ipfw_start() echo 'Firewall logging enabled.' sysctl net.inet.ip.fw.verbose=1 >/dev/null fi +} + +ipfw_poststart() +{ + local _coscript + + # Start firewall coscripts + # + for _coscript in ${firewall_coscripts} ; do + if [ -f "${_coscript}" ]; then + ${_coscript} quietstart + fi + done # Enable the firewall # @@ -75,16 +86,25 @@ ipfw_start() ipfw_stop() { + local _coscript + # Disable the firewall # ${SYSCTL_W} net.inet.ip.fw.enable=0 if afexists inet6; then ${SYSCTL_W} net.inet6.ip6.fw.enable=0 fi - if [ -f /etc/rc.d/natd ] ; then - /etc/rc.d/natd quietstop - fi + + # Stop firewall coscripts + # + for _coscript in `reverse_list ${firewall_coscripts}` ; do + if [ -f "${_coscript}" ]; then + ${_coscript} quietstop + fi + done } load_rc_config $name +firewall_coscripts="/etc/rc.d/natd ${firewall_coscripts}" + run_rc_command $* |
