MFC r320943-r320944, r321008, r321072, r321128

r320943:
Add ipfw_status command to etc/rc.d/ipfw

This is helpful when using service/conf management tools.

Sonsored-By:	Gandi.net

r320944:
Add an rc.d script to setup a netflow export via ng_netflow
The default is to export netflow data on localhost on the netflow port.
ngtee is used to have the lowest overhead possible.
The ipfw ng hook is the netflow port (it can only be numeric)
Default is netflow version 5.

Sponsored-By:   Gandi.net
Reviewed by:	bapt (earlier version), olivier (earlier version)

r321008:
etc/rc.d: Only install ipfw_netflow is MK_IPFW and MK_NETGRAPH is defined

While here only install ipfw rc script if MK_IPFW is defined.

Reported by:	ngie

r321072:
ipfw_netflow: add +ipfw_netflow_enable="NO" to defaults/rc.conf and document
usage in rc.conf(5)

Reported by:	markj
Sponsored by:	Gandi.net

r321128:
ipfw_netflow: Add support for FIB

If ipfw_netflow_fib, the ipfw rule will only match packets in that FIB.

While here correct some value in rc.conf(5) to be int and not str.

Sponsored by:	Gandi.net

4 files changed, 99 insertions, 1 deletions

diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf
index 3569289..d19db3a 100644
--- a/etc/defaults/rc.conf
+++ b/etc/defaults/rc.conf
@@ -167,6 +167,7 @@ firewall_nat_enable="NO"	# Enable kernel NAT (if firewall_enable == YES)
 firewall_nat_interface=""	# Public interface or IPaddress to use
 firewall_nat_flags=""		# Additional configuration parameters
 dummynet_enable="NO"		# Load the dummynet(4) module
+ipfw_netflow_enable="NO"	# Enable netflow logging via ng_netflow
 ip_portrange_first="NO"		# Set first dynamically allocated port
 ip_portrange_last="NO"		# Set last dynamically allocated port
 ike_enable="NO"			# Enable IKE daemon (usually racoon or isakmpd)
diff --git a/etc/rc.d/Makefile b/etc/rc.d/Makefile
index 320e550..e7675a5 100644
--- a/etc/rc.d/Makefile
+++ b/etc/rc.d/Makefile
@@ -47,7 +47,6 @@ FILES=	DAEMON \
 	ip6addrctl \
 	ipfilter \
 	ipfs \
-	ipfw \
 	ipmon \
 	ipnat \
 	ipsec \
@@ -214,6 +213,13 @@ HASTPACKAGE=	hast
 FILES+=		inetd
 .endif
 
+.if ${MK_IPFW} != "no"
+FILES+=		ipfw
+.if ${MK_NETGRAPH} != "no"
+FILES+=		ipfw_netflow
+.endif
+.endif
+
 .if ${MK_ISCSI} != "no"
 FILES+=		iscsictl
 FILES+=		iscsid
diff --git a/etc/rc.d/ipfw b/etc/rc.d/ipfw
index deb9bda..b9417f6 100755
--- a/etc/rc.d/ipfw
+++ b/etc/rc.d/ipfw
@@ -17,7 +17,9 @@ start_cmd="ipfw_start"
 start_precmd="ipfw_prestart"
 start_postcmd="ipfw_poststart"
 stop_cmd="ipfw_stop"
+status_cmd="ipfw_status"
 required_modules="ipfw"
+extra_commands="status"
 
 set_rcvar_obsolete ipv6_firewall_enable
 
@@ -109,6 +111,18 @@ ipfw_stop()
 	done
 }
 
+ipfw_status()
+{
+    status=$(sysctl -n net.inet.ip.fw.enable)
+    if [ ${status} -eq 0 ]; then
+	echo "ipfw is not enabled"
+	exit 1
+    else
+	echo "ipfw is enabled"
+	exit 0
+    fi
+}
+
 load_rc_config $name
 firewall_coscripts="/etc/rc.d/natd ${firewall_coscripts}"
 
diff --git a/etc/rc.d/ipfw_netflow b/etc/rc.d/ipfw_netflow
new file mode 100755
index 0000000..b9523db
--- /dev/null
+++ b/etc/rc.d/ipfw_netflow
@@ -0,0 +1,77 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+# PROVIDE: ipfw_netflow
+# REQUIRE: ipfw
+# KEYWORD: nojailvnet
+
+. /etc/rc.subr
+. /etc/network.subr
+
+name="ipfw_netflow"
+desc="firewall, ipfw, netflow"
+rcvar="${name}_enable"
+start_cmd="${name}_start"
+stop_cmd="${name}_stop"
+start_precmd="${name}_test"
+status_cmd="${name}_status"
+required_modules="ipfw ng_netflow ng_ipfw"
+extra_commands="status"
+
+: ${ipfw_netflow_hook:=9995}
+: ${ipfw_netflow_rule:=01000}
+: ${ipfw_netflow_ip:=127.0.0.1}
+: ${ipfw_netflow_port:=9995}
+: ${ipfw_netflow_version:=}
+
+ipfw_netflow_test()
+{
+    if [ "${ipfw_netflow_version}" != "" ] && [ "${ipfw_netflow_version}" != 9 ]; then
+	err 1 "Unknown netflow version \'${ipfw_netflow_version}\'"
+    fi
+    case "${ipfw_netflow_hook}" in
+	[!0-9]*)
+	    err 1 "Bad value \"${ipfw_netflow_hook}\": Hook must be numerical"
+    esac
+    case "${ipfw_netflow_rule}" in
+	[!0-9]*)
+	    err 1 "Bad value \"${ipfw_netflow_rule}\": Rule number must be numerical"
+    esac
+}
+
+ipfw_netflow_is_running()
+{
+	ngctl show netflow: > /dev/null 2>&1 && return 0 || return 1
+}
+
+ipfw_netflow_status()
+{
+	ipfw_netflow_is_running && echo "ipfw_netflow is active" || echo "ipfw_netflow is not active"
+}
+
+ipfw_netflow_start()
+{
+	ipfw_netflow_is_running && err 1 "ipfw_netflow is already active"
+	ipfw add ${ipfw_netflow_rule} ngtee ${ipfw_netflow_hook} ip from any to any ${ipfw_netflow_fib:+fib ${ipfw_netflow_fib}}
+	ngctl -f - <<-EOF
+	mkpeer ipfw: netflow ${ipfw_netflow_hook} iface0
+	name ipfw:${ipfw_netflow_hook} netflow
+	mkpeer netflow: ksocket export${ipfw_netflow_version} inet/dgram/udp
+	msg netflow: setdlt {iface=0 dlt=12}
+	name netflow:export${ipfw_netflow_version} netflow_export
+	msg netflow:export${ipfw_netflow_version} connect inet/${ipfw_netflow_ip}:${ipfw_netflow_port}
+EOF
+}
+
+ipfw_netflow_stop()
+{
+    ipfw_netflow_is_running || err 1 "ipfw_netflow is not active"
+    ngctl shutdown netflow:
+    ipfw delete ${ipfw_netflow_rule}
+}
+
+load_rc_config $name
+
+run_rc_command $*