diff options
| author | darrenr <darrenr@FreeBSD.org> | 2001-11-24 13:48:30 +0000 |
|---|---|---|
| committer | darrenr <darrenr@FreeBSD.org> | 2001-11-24 13:48:30 +0000 |
| commit | 6524b810339066f8b5ffaca2e8e58cc637702ace (patch) | |
| tree | b882578accee77438ea67a1ff5c6099995d4f95a /etc | |
| parent | 5b53391dafc71694d6bf230b85cbab4f466ad2fd (diff) | |
| download | FreeBSD-src-6524b810339066f8b5ffaca2e8e58cc637702ace.zip FreeBSD-src-6524b810339066f8b5ffaca2e8e58cc637702ace.tar.gz | |
Resolve all the ipfilter startup issues in rc.network with one big patch
to get it all right, allowing ipnat to be enabled independantly of ipfilter
in rc.conf (among other things).
PR: multiple
Submitted by: Arjan de Vet <devet@devet.org>
Reviewed by: Giorgos Keramidas <keramida@FreeBSD.org>
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/network.subr | 130 | ||||
| -rw-r--r-- | etc/rc.d/netoptions | 130 | ||||
| -rw-r--r-- | etc/rc.d/network1 | 130 | ||||
| -rw-r--r-- | etc/rc.d/network2 | 130 | ||||
| -rw-r--r-- | etc/rc.d/network3 | 130 | ||||
| -rw-r--r-- | etc/rc.d/routing | 130 | ||||
| -rw-r--r-- | etc/rc.network | 130 |
7 files changed, 497 insertions, 413 deletions
diff --git a/etc/network.subr b/etc/network.subr index e4bf1e6..dbbf037 100644 --- a/etc/network.subr +++ b/etc/network.subr @@ -63,61 +63,78 @@ network_pass1() { # Establish ipfilter ruleset as early as possible (best in # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file) - # - if /sbin/ipfstat -i > /dev/null 2>&1; then - ipfilter_in_kernel=1 - else - ipfilter_in_kernel=0 - fi - case "${ipfilter_enable}" in + # check whether ipfilter and/or ipnat is enabled + ipfilter_active="NO" + case ${ipfilter_enable} in [Yy][Ee][Ss]) - if [ "${ipfilter_in_kernel}" -eq 0 ] && kldload ipl; then - ipfilter_in_kernel=1 - echo "Kernel ipfilter module loaded." - elif [ "${ipfilter_in_kernel}" -eq 0 ]; then - echo "Warning: ipfilter kernel module failed to load." - fi - - if [ -r "${ipfilter_rules}" ]; then - echo -n ' ipfilter'; - ${ipfilter_program:-/sbin/ipf -Fa -f} \ - "${ipfilter_rules}" ${ipfilter_flags} - case "${ipmon_enable}" in - [Yy][Ee][Ss]) - echo -n ' ipmon' - ${ipmon_program:-/sbin/ipmon} ${ipmon_flags} - ;; - esac - case "${ipfs_enable}" in - [Yy][Ee][Ss]) - if [ -r "/var/db/ipf/ipstate.ipf" ]; then - echo -n ' ipfs'; - eval ${ipfs_program:-/sbin/ipfs -R} \ - ${ipfs_flags} - fi - ;; - esac - else - ipfilter_enable="NO" - echo -n ' NO IPF RULES' - fi + ipfilter_active="YES" + ;; esac - case "${ipnat_enable}" in + case ${ipnat_enable} in [Yy][Ee][Ss]) - if [ "${ipfilter_in_kernel}" -eq 0 ] && kldload ipl; then - ipfilter_in_kernel=1 - echo "Kernel ipfilter module loaded." - elif [ "${ipfilter_in_kernel}" -eq 0 ]; then - echo "Warning: ipfilter kernel module failed to load." - fi - if [ -r "${ipnat_rules}" ]; then - echo -n ' ipnat'; - eval ${ipnat_program:-/sbin/ipnat -CF -f} \ - "${ipnat_rules}" ${ipnat_flags} - else - echo -n ' NO IPNAT RULES' + ipfilter_active="YES" + ;; + esac + case ${ipfilter_active} in + [Yy][Ee][Ss]) + # load ipfilter kernel module if needed + if ! sysctl net.inet.ipf.fr_pass > /dev/null 2>&1; then + if kldload ipl; then + echo 'IP-filter module loaded.' + else + echo 'Warning: IP-filter module failed to load.' + # avoid further errors + ipmon_enable="NO" + ipfilter_enable="NO" + ipnat_enable="NO" + ipfs_enable="NO" + fi fi + # start ipmon before loading any rules + case "${ipmon_enable}" in + [Yy][Ee][Ss]) + echo -n ' ipmon' + ${ipmon_program:-/sbin/ipmon} ${ipmon_flags} + ;; + esac + case "${ipfilter_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipfilter_rules}" ]; then + echo -n ' ipfilter' + ${ipfilter_program:-/sbin/ipf} -Fa -f \ + "${ipfilter_rules}" ${ipfilter_flags} + else + ipfilter_enable="NO" + echo -n ' NO IPF RULES' + fi + ;; + esac + case "${ipnat_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipnat_rules}" ]; then + echo -n ' ipnat' + eval ${ipnat_program:-/sbin/ipnat} -CF -f \ + "${ipnat_rules}" ${ipnat_flags} + else + ipnat_enable="NO" + echo -n ' NO IPNAT RULES' + fi + ;; + esac + # restore filter/NAT state tables after loading the rules + case "${ipfs_enable}" in + [Yy][Ee][Ss]) + if [ -r "/var/db/ipf/ipstate.ipf" ]; then + echo -n ' ipfs' + ${ipfs_program:-/sbin/ipfs} -R ${ipfs_flags} + # remove files to avoid reloading old state + # after an ungraceful shutdown + rm -f /var/db/ipf/ipstate.ipf + rm -f /var/db/ipf/ipnat.ipf + fi + ;; + esac ;; esac @@ -279,19 +296,14 @@ network_pass1() { ;; esac - # Re-Sync ipfilter + # Re-Sync ipfilter so it picks up any new network interfaces # - case ${ipfilter_enable} in + case ${ipfilter_active} in [Yy][Ee][Ss]) - ${ipfilter_program:-/sbin/ipf -y} + ${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} ;; - *) - case ${ipnat_enable} in - [Yy][Ee][Ss]) - ${ipfilter_program:-/sbin/ipf -y} - ;; - esac esac + unset ipfilter_active # Initialize IP filtering using ipfw # diff --git a/etc/rc.d/netoptions b/etc/rc.d/netoptions index e4bf1e6..dbbf037 100644 --- a/etc/rc.d/netoptions +++ b/etc/rc.d/netoptions @@ -63,61 +63,78 @@ network_pass1() { # Establish ipfilter ruleset as early as possible (best in # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file) - # - if /sbin/ipfstat -i > /dev/null 2>&1; then - ipfilter_in_kernel=1 - else - ipfilter_in_kernel=0 - fi - case "${ipfilter_enable}" in + # check whether ipfilter and/or ipnat is enabled + ipfilter_active="NO" + case ${ipfilter_enable} in [Yy][Ee][Ss]) - if [ "${ipfilter_in_kernel}" -eq 0 ] && kldload ipl; then - ipfilter_in_kernel=1 - echo "Kernel ipfilter module loaded." - elif [ "${ipfilter_in_kernel}" -eq 0 ]; then - echo "Warning: ipfilter kernel module failed to load." - fi - - if [ -r "${ipfilter_rules}" ]; then - echo -n ' ipfilter'; - ${ipfilter_program:-/sbin/ipf -Fa -f} \ - "${ipfilter_rules}" ${ipfilter_flags} - case "${ipmon_enable}" in - [Yy][Ee][Ss]) - echo -n ' ipmon' - ${ipmon_program:-/sbin/ipmon} ${ipmon_flags} - ;; - esac - case "${ipfs_enable}" in - [Yy][Ee][Ss]) - if [ -r "/var/db/ipf/ipstate.ipf" ]; then - echo -n ' ipfs'; - eval ${ipfs_program:-/sbin/ipfs -R} \ - ${ipfs_flags} - fi - ;; - esac - else - ipfilter_enable="NO" - echo -n ' NO IPF RULES' - fi + ipfilter_active="YES" + ;; esac - case "${ipnat_enable}" in + case ${ipnat_enable} in [Yy][Ee][Ss]) - if [ "${ipfilter_in_kernel}" -eq 0 ] && kldload ipl; then - ipfilter_in_kernel=1 - echo "Kernel ipfilter module loaded." - elif [ "${ipfilter_in_kernel}" -eq 0 ]; then - echo "Warning: ipfilter kernel module failed to load." - fi - if [ -r "${ipnat_rules}" ]; then - echo -n ' ipnat'; - eval ${ipnat_program:-/sbin/ipnat -CF -f} \ - "${ipnat_rules}" ${ipnat_flags} - else - echo -n ' NO IPNAT RULES' + ipfilter_active="YES" + ;; + esac + case ${ipfilter_active} in + [Yy][Ee][Ss]) + # load ipfilter kernel module if needed + if ! sysctl net.inet.ipf.fr_pass > /dev/null 2>&1; then + if kldload ipl; then + echo 'IP-filter module loaded.' + else + echo 'Warning: IP-filter module failed to load.' + # avoid further errors + ipmon_enable="NO" + ipfilter_enable="NO" + ipnat_enable="NO" + ipfs_enable="NO" + fi fi + # start ipmon before loading any rules + case "${ipmon_enable}" in + [Yy][Ee][Ss]) + echo -n ' ipmon' + ${ipmon_program:-/sbin/ipmon} ${ipmon_flags} + ;; + esac + case "${ipfilter_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipfilter_rules}" ]; then + echo -n ' ipfilter' + ${ipfilter_program:-/sbin/ipf} -Fa -f \ + "${ipfilter_rules}" ${ipfilter_flags} + else + ipfilter_enable="NO" + echo -n ' NO IPF RULES' + fi + ;; + esac + case "${ipnat_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipnat_rules}" ]; then + echo -n ' ipnat' + eval ${ipnat_program:-/sbin/ipnat} -CF -f \ + "${ipnat_rules}" ${ipnat_flags} + else + ipnat_enable="NO" + echo -n ' NO IPNAT RULES' + fi + ;; + esac + # restore filter/NAT state tables after loading the rules + case "${ipfs_enable}" in + [Yy][Ee][Ss]) + if [ -r "/var/db/ipf/ipstate.ipf" ]; then + echo -n ' ipfs' + ${ipfs_program:-/sbin/ipfs} -R ${ipfs_flags} + # remove files to avoid reloading old state + # after an ungraceful shutdown + rm -f /var/db/ipf/ipstate.ipf + rm -f /var/db/ipf/ipnat.ipf + fi + ;; + esac ;; esac @@ -279,19 +296,14 @@ network_pass1() { ;; esac - # Re-Sync ipfilter + # Re-Sync ipfilter so it picks up any new network interfaces # - case ${ipfilter_enable} in + case ${ipfilter_active} in [Yy][Ee][Ss]) - ${ipfilter_program:-/sbin/ipf -y} + ${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} ;; - *) - case ${ipnat_enable} in - [Yy][Ee][Ss]) - ${ipfilter_program:-/sbin/ipf -y} - ;; - esac esac + unset ipfilter_active # Initialize IP filtering using ipfw # diff --git a/etc/rc.d/network1 b/etc/rc.d/network1 index e4bf1e6..dbbf037 100644 --- a/etc/rc.d/network1 +++ b/etc/rc.d/network1 @@ -63,61 +63,78 @@ network_pass1() { # Establish ipfilter ruleset as early as possible (best in # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file) - # - if /sbin/ipfstat -i > /dev/null 2>&1; then - ipfilter_in_kernel=1 - else - ipfilter_in_kernel=0 - fi - case "${ipfilter_enable}" in + # check whether ipfilter and/or ipnat is enabled + ipfilter_active="NO" + case ${ipfilter_enable} in [Yy][Ee][Ss]) - if [ "${ipfilter_in_kernel}" -eq 0 ] && kldload ipl; then - ipfilter_in_kernel=1 - echo "Kernel ipfilter module loaded." - elif [ "${ipfilter_in_kernel}" -eq 0 ]; then - echo "Warning: ipfilter kernel module failed to load." - fi - - if [ -r "${ipfilter_rules}" ]; then - echo -n ' ipfilter'; - ${ipfilter_program:-/sbin/ipf -Fa -f} \ - "${ipfilter_rules}" ${ipfilter_flags} - case "${ipmon_enable}" in - [Yy][Ee][Ss]) - echo -n ' ipmon' - ${ipmon_program:-/sbin/ipmon} ${ipmon_flags} - ;; - esac - case "${ipfs_enable}" in - [Yy][Ee][Ss]) - if [ -r "/var/db/ipf/ipstate.ipf" ]; then - echo -n ' ipfs'; - eval ${ipfs_program:-/sbin/ipfs -R} \ - ${ipfs_flags} - fi - ;; - esac - else - ipfilter_enable="NO" - echo -n ' NO IPF RULES' - fi + ipfilter_active="YES" + ;; esac - case "${ipnat_enable}" in + case ${ipnat_enable} in [Yy][Ee][Ss]) - if [ "${ipfilter_in_kernel}" -eq 0 ] && kldload ipl; then - ipfilter_in_kernel=1 - echo "Kernel ipfilter module loaded." - elif [ "${ipfilter_in_kernel}" -eq 0 ]; then - echo "Warning: ipfilter kernel module failed to load." - fi - if [ -r "${ipnat_rules}" ]; then - echo -n ' ipnat'; - eval ${ipnat_program:-/sbin/ipnat -CF -f} \ - "${ipnat_rules}" ${ipnat_flags} - else - echo -n ' NO IPNAT RULES' + ipfilter_active="YES" + ;; + esac + case ${ipfilter_active} in + [Yy][Ee][Ss]) + # load ipfilter kernel module if needed + if ! sysctl net.inet.ipf.fr_pass > /dev/null 2>&1; then + if kldload ipl; then + echo 'IP-filter module loaded.' + else + echo 'Warning: IP-filter module failed to load.' + # avoid further errors + ipmon_enable="NO" + ipfilter_enable="NO" + ipnat_enable="NO" + ipfs_enable="NO" + fi fi + # start ipmon before loading any rules + case "${ipmon_enable}" in + [Yy][Ee][Ss]) + echo -n ' ipmon' + ${ipmon_program:-/sbin/ipmon} ${ipmon_flags} + ;; + esac + case "${ipfilter_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipfilter_rules}" ]; then + echo -n ' ipfilter' + ${ipfilter_program:-/sbin/ipf} -Fa -f \ + "${ipfilter_rules}" ${ipfilter_flags} + else + ipfilter_enable="NO" + echo -n ' NO IPF RULES' + fi + ;; + esac + case "${ipnat_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipnat_rules}" ]; then + echo -n ' ipnat' + eval ${ipnat_program:-/sbin/ipnat} -CF -f \ + "${ipnat_rules}" ${ipnat_flags} + else + ipnat_enable="NO" + echo -n ' NO IPNAT RULES' + fi + ;; + esac + # restore filter/NAT state tables after loading the rules + case "${ipfs_enable}" in + [Yy][Ee][Ss]) + if [ -r "/var/db/ipf/ipstate.ipf" ]; then + echo -n ' ipfs' + ${ipfs_program:-/sbin/ipfs} -R ${ipfs_flags} + # remove files to avoid reloading old state + # after an ungraceful shutdown + rm -f /var/db/ipf/ipstate.ipf + rm -f /var/db/ipf/ipnat.ipf + fi + ;; + esac ;; esac @@ -279,19 +296,14 @@ network_pass1() { ;; esac - # Re-Sync ipfilter + # Re-Sync ipfilter so it picks up any new network interfaces # - case ${ipfilter_enable} in + case ${ipfilter_active} in [Yy][Ee][Ss]) - ${ipfilter_program:-/sbin/ipf -y} + ${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} ;; - *) - case ${ipnat_enable} in - [Yy][Ee][Ss]) - ${ipfilter_program:-/sbin/ipf -y} - ;; - esac esac + unset ipfilter_active # Initialize IP filtering using ipfw # diff --git a/etc/rc.d/network2 b/etc/rc.d/network2 index e4bf1e6..dbbf037 100644 --- a/etc/rc.d/network2 +++ b/etc/rc.d/network2 @@ -63,61 +63,78 @@ network_pass1() { # Establish ipfilter ruleset as early as possible (best in # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file) - # - if /sbin/ipfstat -i > /dev/null 2>&1; then - ipfilter_in_kernel=1 - else - ipfilter_in_kernel=0 - fi - case "${ipfilter_enable}" in + # check whether ipfilter and/or ipnat is enabled + ipfilter_active="NO" + case ${ipfilter_enable} in [Yy][Ee][Ss]) - if [ "${ipfilter_in_kernel}" -eq 0 ] && kldload ipl; then - ipfilter_in_kernel=1 - echo "Kernel ipfilter module loaded." - elif [ "${ipfilter_in_kernel}" -eq 0 ]; then - echo "Warning: ipfilter kernel module failed to load." - fi - - if [ -r "${ipfilter_rules}" ]; then - echo -n ' ipfilter'; - ${ipfilter_program:-/sbin/ipf -Fa -f} \ - "${ipfilter_rules}" ${ipfilter_flags} - case "${ipmon_enable}" in - [Yy][Ee][Ss]) - echo -n ' ipmon' - ${ipmon_program:-/sbin/ipmon} ${ipmon_flags} - ;; - esac - case "${ipfs_enable}" in - [Yy][Ee][Ss]) - if [ -r "/var/db/ipf/ipstate.ipf" ]; then - echo -n ' ipfs'; - eval ${ipfs_program:-/sbin/ipfs -R} \ - ${ipfs_flags} - fi - ;; - esac - else - ipfilter_enable="NO" - echo -n ' NO IPF RULES' - fi + ipfilter_active="YES" + ;; esac - case "${ipnat_enable}" in + case ${ipnat_enable} in [Yy][Ee][Ss]) - if [ "${ipfilter_in_kernel}" -eq 0 ] && kldload ipl; then - ipfilter_in_kernel=1 - echo "Kernel ipfilter module loaded." - elif [ "${ipfilter_in_kernel}" -eq 0 ]; then - echo "Warning: ipfilter kernel module failed to load." - fi - if [ -r "${ipnat_rules}" ]; then - echo -n ' ipnat'; - eval ${ipnat_program:-/sbin/ipnat -CF -f} \ - "${ipnat_rules}" ${ipnat_flags} - else - echo -n ' NO IPNAT RULES' + ipfilter_active="YES" + ;; + esac + case ${ipfilter_active} in + [Yy][Ee][Ss]) + # load ipfilter kernel module if needed + if ! sysctl net.inet.ipf.fr_pass > /dev/null 2>&1; then + if kldload ipl; then + echo 'IP-filter module loaded.' + else + echo 'Warning: IP-filter module failed to load.' + # avoid further errors + ipmon_enable="NO" + ipfilter_enable="NO" + ipnat_enable="NO" + ipfs_enable="NO" + fi fi + # start ipmon before loading any rules + case "${ipmon_enable}" in + [Yy][Ee][Ss]) + echo -n ' ipmon' + ${ipmon_program:-/sbin/ipmon} ${ipmon_flags} + ;; + esac + case "${ipfilter_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipfilter_rules}" ]; then + echo -n ' ipfilter' + ${ipfilter_program:-/sbin/ipf} -Fa -f \ + "${ipfilter_rules}" ${ipfilter_flags} + else + ipfilter_enable="NO" + echo -n ' NO IPF RULES' + fi + ;; + esac + case "${ipnat_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipnat_rules}" ]; then + echo -n ' ipnat' + eval ${ipnat_program:-/sbin/ipnat} -CF -f \ + "${ipnat_rules}" ${ipnat_flags} + else + ipnat_enable="NO" + echo -n ' NO IPNAT RULES' + fi + ;; + esac + # restore filter/NAT state tables after loading the rules + case "${ipfs_enable}" in + [Yy][Ee][Ss]) + if [ -r "/var/db/ipf/ipstate.ipf" ]; then + echo -n ' ipfs' + ${ipfs_program:-/sbin/ipfs} -R ${ipfs_flags} + # remove files to avoid reloading old state + # after an ungraceful shutdown + rm -f /var/db/ipf/ipstate.ipf + rm -f /var/db/ipf/ipnat.ipf + fi + ;; + esac ;; esac @@ -279,19 +296,14 @@ network_pass1() { ;; esac - # Re-Sync ipfilter + # Re-Sync ipfilter so it picks up any new network interfaces # - case ${ipfilter_enable} in + case ${ipfilter_active} in [Yy][Ee][Ss]) - ${ipfilter_program:-/sbin/ipf -y} + ${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} ;; - *) - case ${ipnat_enable} in - [Yy][Ee][Ss]) - ${ipfilter_program:-/sbin/ipf -y} - ;; - esac esac + unset ipfilter_active # Initialize IP filtering using ipfw # diff --git a/etc/rc.d/network3 b/etc/rc.d/network3 index e4bf1e6..dbbf037 100644 --- a/etc/rc.d/network3 +++ b/etc/rc.d/network3 @@ -63,61 +63,78 @@ network_pass1() { # Establish ipfilter ruleset as early as possible (best in # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file) - # - if /sbin/ipfstat -i > /dev/null 2>&1; then - ipfilter_in_kernel=1 - else - ipfilter_in_kernel=0 - fi - case "${ipfilter_enable}" in + # check whether ipfilter and/or ipnat is enabled + ipfilter_active="NO" + case ${ipfilter_enable} in [Yy][Ee][Ss]) - if [ "${ipfilter_in_kernel}" -eq 0 ] && kldload ipl; then - ipfilter_in_kernel=1 - echo "Kernel ipfilter module loaded." - elif [ "${ipfilter_in_kernel}" -eq 0 ]; then - echo "Warning: ipfilter kernel module failed to load." - fi - - if [ -r "${ipfilter_rules}" ]; then - echo -n ' ipfilter'; - ${ipfilter_program:-/sbin/ipf -Fa -f} \ - "${ipfilter_rules}" ${ipfilter_flags} - case "${ipmon_enable}" in - [Yy][Ee][Ss]) - echo -n ' ipmon' - ${ipmon_program:-/sbin/ipmon} ${ipmon_flags} - ;; - esac - case "${ipfs_enable}" in - [Yy][Ee][Ss]) - if [ -r "/var/db/ipf/ipstate.ipf" ]; then - echo -n ' ipfs'; - eval ${ipfs_program:-/sbin/ipfs -R} \ - ${ipfs_flags} - fi - ;; - esac - else - ipfilter_enable="NO" - echo -n ' NO IPF RULES' - fi + ipfilter_active="YES" + ;; esac - case "${ipnat_enable}" in + case ${ipnat_enable} in [Yy][Ee][Ss]) - if [ "${ipfilter_in_kernel}" -eq 0 ] && kldload ipl; then - ipfilter_in_kernel=1 - echo "Kernel ipfilter module loaded." - elif [ "${ipfilter_in_kernel}" -eq 0 ]; then - echo "Warning: ipfilter kernel module failed to load." - fi - if [ -r "${ipnat_rules}" ]; then - echo -n ' ipnat'; - eval ${ipnat_program:-/sbin/ipnat -CF -f} \ - "${ipnat_rules}" ${ipnat_flags} - else - echo -n ' NO IPNAT RULES' + ipfilter_active="YES" + ;; + esac + case ${ipfilter_active} in + [Yy][Ee][Ss]) + # load ipfilter kernel module if needed + if ! sysctl net.inet.ipf.fr_pass > /dev/null 2>&1; then + if kldload ipl; then + echo 'IP-filter module loaded.' + else + echo 'Warning: IP-filter module failed to load.' + # avoid further errors + ipmon_enable="NO" + ipfilter_enable="NO" + ipnat_enable="NO" + ipfs_enable="NO" + fi fi + # start ipmon before loading any rules + case "${ipmon_enable}" in + [Yy][Ee][Ss]) + echo -n ' ipmon' + ${ipmon_program:-/sbin/ipmon} ${ipmon_flags} + ;; + esac + case "${ipfilter_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipfilter_rules}" ]; then + echo -n ' ipfilter' + ${ipfilter_program:-/sbin/ipf} -Fa -f \ + "${ipfilter_rules}" ${ipfilter_flags} + else + ipfilter_enable="NO" + echo -n ' NO IPF RULES' + fi + ;; + esac + case "${ipnat_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipnat_rules}" ]; then + echo -n ' ipnat' + eval ${ipnat_program:-/sbin/ipnat} -CF -f \ + "${ipnat_rules}" ${ipnat_flags} + else + ipnat_enable="NO" + echo -n ' NO IPNAT RULES' + fi + ;; + esac + # restore filter/NAT state tables after loading the rules + case "${ipfs_enable}" in + [Yy][Ee][Ss]) + if [ -r "/var/db/ipf/ipstate.ipf" ]; then + echo -n ' ipfs' + ${ipfs_program:-/sbin/ipfs} -R ${ipfs_flags} + # remove files to avoid reloading old state + # after an ungraceful shutdown + rm -f /var/db/ipf/ipstate.ipf + rm -f /var/db/ipf/ipnat.ipf + fi + ;; + esac ;; esac @@ -279,19 +296,14 @@ network_pass1() { ;; esac - # Re-Sync ipfilter + # Re-Sync ipfilter so it picks up any new network interfaces # - case ${ipfilter_enable} in + case ${ipfilter_active} in [Yy][Ee][Ss]) - ${ipfilter_program:-/sbin/ipf -y} + ${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} ;; - *) - case ${ipnat_enable} in - [Yy][Ee][Ss]) - ${ipfilter_program:-/sbin/ipf -y} - ;; - esac esac + unset ipfilter_active # Initialize IP filtering using ipfw # diff --git a/etc/rc.d/routing b/etc/rc.d/routing index e4bf1e6..dbbf037 100644 --- a/etc/rc.d/routing +++ b/etc/rc.d/routing @@ -63,61 +63,78 @@ network_pass1() { # Establish ipfilter ruleset as early as possible (best in # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file) - # - if /sbin/ipfstat -i > /dev/null 2>&1; then - ipfilter_in_kernel=1 - else - ipfilter_in_kernel=0 - fi - case "${ipfilter_enable}" in + # check whether ipfilter and/or ipnat is enabled + ipfilter_active="NO" + case ${ipfilter_enable} in [Yy][Ee][Ss]) - if [ "${ipfilter_in_kernel}" -eq 0 ] && kldload ipl; then - ipfilter_in_kernel=1 - echo "Kernel ipfilter module loaded." - elif [ "${ipfilter_in_kernel}" -eq 0 ]; then - echo "Warning: ipfilter kernel module failed to load." - fi - - if [ -r "${ipfilter_rules}" ]; then - echo -n ' ipfilter'; - ${ipfilter_program:-/sbin/ipf -Fa -f} \ - "${ipfilter_rules}" ${ipfilter_flags} - case "${ipmon_enable}" in - [Yy][Ee][Ss]) - echo -n ' ipmon' - ${ipmon_program:-/sbin/ipmon} ${ipmon_flags} - ;; - esac - case "${ipfs_enable}" in - [Yy][Ee][Ss]) - if [ -r "/var/db/ipf/ipstate.ipf" ]; then - echo -n ' ipfs'; - eval ${ipfs_program:-/sbin/ipfs -R} \ - ${ipfs_flags} - fi - ;; - esac - else - ipfilter_enable="NO" - echo -n ' NO IPF RULES' - fi + ipfilter_active="YES" + ;; esac - case "${ipnat_enable}" in + case ${ipnat_enable} in [Yy][Ee][Ss]) - if [ "${ipfilter_in_kernel}" -eq 0 ] && kldload ipl; then - ipfilter_in_kernel=1 - echo "Kernel ipfilter module loaded." - elif [ "${ipfilter_in_kernel}" -eq 0 ]; then - echo "Warning: ipfilter kernel module failed to load." - fi - if [ -r "${ipnat_rules}" ]; then - echo -n ' ipnat'; - eval ${ipnat_program:-/sbin/ipnat -CF -f} \ - "${ipnat_rules}" ${ipnat_flags} - else - echo -n ' NO IPNAT RULES' + ipfilter_active="YES" + ;; + esac + case ${ipfilter_active} in + [Yy][Ee][Ss]) + # load ipfilter kernel module if needed + if ! sysctl net.inet.ipf.fr_pass > /dev/null 2>&1; then + if kldload ipl; then + echo 'IP-filter module loaded.' + else + echo 'Warning: IP-filter module failed to load.' + # avoid further errors + ipmon_enable="NO" + ipfilter_enable="NO" + ipnat_enable="NO" + ipfs_enable="NO" + fi fi + # start ipmon before loading any rules + case "${ipmon_enable}" in + [Yy][Ee][Ss]) + echo -n ' ipmon' + ${ipmon_program:-/sbin/ipmon} ${ipmon_flags} + ;; + esac + case "${ipfilter_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipfilter_rules}" ]; then + echo -n ' ipfilter' + ${ipfilter_program:-/sbin/ipf} -Fa -f \ + "${ipfilter_rules}" ${ipfilter_flags} + else + ipfilter_enable="NO" + echo -n ' NO IPF RULES' + fi + ;; + esac + case "${ipnat_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipnat_rules}" ]; then + echo -n ' ipnat' + eval ${ipnat_program:-/sbin/ipnat} -CF -f \ + "${ipnat_rules}" ${ipnat_flags} + else + ipnat_enable="NO" + echo -n ' NO IPNAT RULES' + fi + ;; + esac + # restore filter/NAT state tables after loading the rules + case "${ipfs_enable}" in + [Yy][Ee][Ss]) + if [ -r "/var/db/ipf/ipstate.ipf" ]; then + echo -n ' ipfs' + ${ipfs_program:-/sbin/ipfs} -R ${ipfs_flags} + # remove files to avoid reloading old state + # after an ungraceful shutdown + rm -f /var/db/ipf/ipstate.ipf + rm -f /var/db/ipf/ipnat.ipf + fi + ;; + esac ;; esac @@ -279,19 +296,14 @@ network_pass1() { ;; esac - # Re-Sync ipfilter + # Re-Sync ipfilter so it picks up any new network interfaces # - case ${ipfilter_enable} in + case ${ipfilter_active} in [Yy][Ee][Ss]) - ${ipfilter_program:-/sbin/ipf -y} + ${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} ;; - *) - case ${ipnat_enable} in - [Yy][Ee][Ss]) - ${ipfilter_program:-/sbin/ipf -y} - ;; - esac esac + unset ipfilter_active # Initialize IP filtering using ipfw # diff --git a/etc/rc.network b/etc/rc.network index e4bf1e6..dbbf037 100644 --- a/etc/rc.network +++ b/etc/rc.network @@ -63,61 +63,78 @@ network_pass1() { # Establish ipfilter ruleset as early as possible (best in # addition to IPFILTER_DEFAULT_BLOCK in the kernel config file) - # - if /sbin/ipfstat -i > /dev/null 2>&1; then - ipfilter_in_kernel=1 - else - ipfilter_in_kernel=0 - fi - case "${ipfilter_enable}" in + # check whether ipfilter and/or ipnat is enabled + ipfilter_active="NO" + case ${ipfilter_enable} in [Yy][Ee][Ss]) - if [ "${ipfilter_in_kernel}" -eq 0 ] && kldload ipl; then - ipfilter_in_kernel=1 - echo "Kernel ipfilter module loaded." - elif [ "${ipfilter_in_kernel}" -eq 0 ]; then - echo "Warning: ipfilter kernel module failed to load." - fi - - if [ -r "${ipfilter_rules}" ]; then - echo -n ' ipfilter'; - ${ipfilter_program:-/sbin/ipf -Fa -f} \ - "${ipfilter_rules}" ${ipfilter_flags} - case "${ipmon_enable}" in - [Yy][Ee][Ss]) - echo -n ' ipmon' - ${ipmon_program:-/sbin/ipmon} ${ipmon_flags} - ;; - esac - case "${ipfs_enable}" in - [Yy][Ee][Ss]) - if [ -r "/var/db/ipf/ipstate.ipf" ]; then - echo -n ' ipfs'; - eval ${ipfs_program:-/sbin/ipfs -R} \ - ${ipfs_flags} - fi - ;; - esac - else - ipfilter_enable="NO" - echo -n ' NO IPF RULES' - fi + ipfilter_active="YES" + ;; esac - case "${ipnat_enable}" in + case ${ipnat_enable} in [Yy][Ee][Ss]) - if [ "${ipfilter_in_kernel}" -eq 0 ] && kldload ipl; then - ipfilter_in_kernel=1 - echo "Kernel ipfilter module loaded." - elif [ "${ipfilter_in_kernel}" -eq 0 ]; then - echo "Warning: ipfilter kernel module failed to load." - fi - if [ -r "${ipnat_rules}" ]; then - echo -n ' ipnat'; - eval ${ipnat_program:-/sbin/ipnat -CF -f} \ - "${ipnat_rules}" ${ipnat_flags} - else - echo -n ' NO IPNAT RULES' + ipfilter_active="YES" + ;; + esac + case ${ipfilter_active} in + [Yy][Ee][Ss]) + # load ipfilter kernel module if needed + if ! sysctl net.inet.ipf.fr_pass > /dev/null 2>&1; then + if kldload ipl; then + echo 'IP-filter module loaded.' + else + echo 'Warning: IP-filter module failed to load.' + # avoid further errors + ipmon_enable="NO" + ipfilter_enable="NO" + ipnat_enable="NO" + ipfs_enable="NO" + fi fi + # start ipmon before loading any rules + case "${ipmon_enable}" in + [Yy][Ee][Ss]) + echo -n ' ipmon' + ${ipmon_program:-/sbin/ipmon} ${ipmon_flags} + ;; + esac + case "${ipfilter_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipfilter_rules}" ]; then + echo -n ' ipfilter' + ${ipfilter_program:-/sbin/ipf} -Fa -f \ + "${ipfilter_rules}" ${ipfilter_flags} + else + ipfilter_enable="NO" + echo -n ' NO IPF RULES' + fi + ;; + esac + case "${ipnat_enable}" in + [Yy][Ee][Ss]) + if [ -r "${ipnat_rules}" ]; then + echo -n ' ipnat' + eval ${ipnat_program:-/sbin/ipnat} -CF -f \ + "${ipnat_rules}" ${ipnat_flags} + else + ipnat_enable="NO" + echo -n ' NO IPNAT RULES' + fi + ;; + esac + # restore filter/NAT state tables after loading the rules + case "${ipfs_enable}" in + [Yy][Ee][Ss]) + if [ -r "/var/db/ipf/ipstate.ipf" ]; then + echo -n ' ipfs' + ${ipfs_program:-/sbin/ipfs} -R ${ipfs_flags} + # remove files to avoid reloading old state + # after an ungraceful shutdown + rm -f /var/db/ipf/ipstate.ipf + rm -f /var/db/ipf/ipnat.ipf + fi + ;; + esac ;; esac @@ -279,19 +296,14 @@ network_pass1() { ;; esac - # Re-Sync ipfilter + # Re-Sync ipfilter so it picks up any new network interfaces # - case ${ipfilter_enable} in + case ${ipfilter_active} in [Yy][Ee][Ss]) - ${ipfilter_program:-/sbin/ipf -y} + ${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} ;; - *) - case ${ipnat_enable} in - [Yy][Ee][Ss]) - ${ipfilter_program:-/sbin/ipf -y} - ;; - esac esac + unset ipfilter_active # Initialize IP filtering using ipfw # |
