diff options
author | manu <manu@FreeBSD.org> | 2018-03-02 15:17:42 +0000 |
---|---|---|
committer | manu <manu@FreeBSD.org> | 2018-03-02 15:17:42 +0000 |
commit | 532ce31b775d4979ac8c8953b460fd712426636a (patch) | |
tree | 6a69c7e92eef8b9ccec5a7597d59a8b952e9ea9c /etc | |
parent | d2b8c34fb582c5955ba82dbaf207e79abdb14f8b (diff) | |
download | FreeBSD-src-532ce31b775d4979ac8c8953b460fd712426636a.zip FreeBSD-src-532ce31b775d4979ac8c8953b460fd712426636a.tar.gz |
MFC r320943-r320944, r321008, r321072, r321128
r320943:
Add ipfw_status command to etc/rc.d/ipfw
This is helpful when using service/conf management tools.
Sonsored-By: Gandi.net
r320944:
Add an rc.d script to setup a netflow export via ng_netflow
The default is to export netflow data on localhost on the netflow port.
ngtee is used to have the lowest overhead possible.
The ipfw ng hook is the netflow port (it can only be numeric)
Default is netflow version 5.
Sponsored-By: Gandi.net
Reviewed by: bapt (earlier version), olivier (earlier version)
r321008:
etc/rc.d: Only install ipfw_netflow is MK_IPFW and MK_NETGRAPH is defined
While here only install ipfw rc script if MK_IPFW is defined.
Reported by: ngie
r321072:
ipfw_netflow: add +ipfw_netflow_enable="NO" to defaults/rc.conf and document
usage in rc.conf(5)
Reported by: markj
Sponsored by: Gandi.net
r321128:
ipfw_netflow: Add support for FIB
If ipfw_netflow_fib, the ipfw rule will only match packets in that FIB.
While here correct some value in rc.conf(5) to be int and not str.
Sponsored by: Gandi.net
Diffstat (limited to 'etc')
-rw-r--r-- | etc/defaults/rc.conf | 1 | ||||
-rw-r--r-- | etc/rc.d/Makefile | 8 | ||||
-rwxr-xr-x | etc/rc.d/ipfw | 14 | ||||
-rwxr-xr-x | etc/rc.d/ipfw_netflow | 77 |
4 files changed, 99 insertions, 1 deletions
diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index 3569289..d19db3a 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -167,6 +167,7 @@ firewall_nat_enable="NO" # Enable kernel NAT (if firewall_enable == YES) firewall_nat_interface="" # Public interface or IPaddress to use firewall_nat_flags="" # Additional configuration parameters dummynet_enable="NO" # Load the dummynet(4) module +ipfw_netflow_enable="NO" # Enable netflow logging via ng_netflow ip_portrange_first="NO" # Set first dynamically allocated port ip_portrange_last="NO" # Set last dynamically allocated port ike_enable="NO" # Enable IKE daemon (usually racoon or isakmpd) diff --git a/etc/rc.d/Makefile b/etc/rc.d/Makefile index 320e550..e7675a5 100644 --- a/etc/rc.d/Makefile +++ b/etc/rc.d/Makefile @@ -47,7 +47,6 @@ FILES= DAEMON \ ip6addrctl \ ipfilter \ ipfs \ - ipfw \ ipmon \ ipnat \ ipsec \ @@ -214,6 +213,13 @@ HASTPACKAGE= hast FILES+= inetd .endif +.if ${MK_IPFW} != "no" +FILES+= ipfw +.if ${MK_NETGRAPH} != "no" +FILES+= ipfw_netflow +.endif +.endif + .if ${MK_ISCSI} != "no" FILES+= iscsictl FILES+= iscsid diff --git a/etc/rc.d/ipfw b/etc/rc.d/ipfw index deb9bda..b9417f6 100755 --- a/etc/rc.d/ipfw +++ b/etc/rc.d/ipfw @@ -17,7 +17,9 @@ start_cmd="ipfw_start" start_precmd="ipfw_prestart" start_postcmd="ipfw_poststart" stop_cmd="ipfw_stop" +status_cmd="ipfw_status" required_modules="ipfw" +extra_commands="status" set_rcvar_obsolete ipv6_firewall_enable @@ -109,6 +111,18 @@ ipfw_stop() done } +ipfw_status() +{ + status=$(sysctl -n net.inet.ip.fw.enable) + if [ ${status} -eq 0 ]; then + echo "ipfw is not enabled" + exit 1 + else + echo "ipfw is enabled" + exit 0 + fi +} + load_rc_config $name firewall_coscripts="/etc/rc.d/natd ${firewall_coscripts}" diff --git a/etc/rc.d/ipfw_netflow b/etc/rc.d/ipfw_netflow new file mode 100755 index 0000000..b9523db --- /dev/null +++ b/etc/rc.d/ipfw_netflow @@ -0,0 +1,77 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# PROVIDE: ipfw_netflow +# REQUIRE: ipfw +# KEYWORD: nojailvnet + +. /etc/rc.subr +. /etc/network.subr + +name="ipfw_netflow" +desc="firewall, ipfw, netflow" +rcvar="${name}_enable" +start_cmd="${name}_start" +stop_cmd="${name}_stop" +start_precmd="${name}_test" +status_cmd="${name}_status" +required_modules="ipfw ng_netflow ng_ipfw" +extra_commands="status" + +: ${ipfw_netflow_hook:=9995} +: ${ipfw_netflow_rule:=01000} +: ${ipfw_netflow_ip:=127.0.0.1} +: ${ipfw_netflow_port:=9995} +: ${ipfw_netflow_version:=} + +ipfw_netflow_test() +{ + if [ "${ipfw_netflow_version}" != "" ] && [ "${ipfw_netflow_version}" != 9 ]; then + err 1 "Unknown netflow version \'${ipfw_netflow_version}\'" + fi + case "${ipfw_netflow_hook}" in + [!0-9]*) + err 1 "Bad value \"${ipfw_netflow_hook}\": Hook must be numerical" + esac + case "${ipfw_netflow_rule}" in + [!0-9]*) + err 1 "Bad value \"${ipfw_netflow_rule}\": Rule number must be numerical" + esac +} + +ipfw_netflow_is_running() +{ + ngctl show netflow: > /dev/null 2>&1 && return 0 || return 1 +} + +ipfw_netflow_status() +{ + ipfw_netflow_is_running && echo "ipfw_netflow is active" || echo "ipfw_netflow is not active" +} + +ipfw_netflow_start() +{ + ipfw_netflow_is_running && err 1 "ipfw_netflow is already active" + ipfw add ${ipfw_netflow_rule} ngtee ${ipfw_netflow_hook} ip from any to any ${ipfw_netflow_fib:+fib ${ipfw_netflow_fib}} + ngctl -f - <<-EOF + mkpeer ipfw: netflow ${ipfw_netflow_hook} iface0 + name ipfw:${ipfw_netflow_hook} netflow + mkpeer netflow: ksocket export${ipfw_netflow_version} inet/dgram/udp + msg netflow: setdlt {iface=0 dlt=12} + name netflow:export${ipfw_netflow_version} netflow_export + msg netflow:export${ipfw_netflow_version} connect inet/${ipfw_netflow_ip}:${ipfw_netflow_port} +EOF +} + +ipfw_netflow_stop() +{ + ipfw_netflow_is_running || err 1 "ipfw_netflow is not active" + ngctl shutdown netflow: + ipfw delete ${ipfw_netflow_rule} +} + +load_rc_config $name + +run_rc_command $* |