second part of the patches to complete ipf changes to rc

PR:		multiple
Submitted by:	Arjan de Vet <devet@devet.org>

2 files changed, 15 insertions, 19 deletions

diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf
index a1245d1..f0b6148 100644
--- a/etc/defaults/rc.conf
+++ b/etc/defaults/rc.conf
@@ -61,25 +61,21 @@ natd_enable="NO"                # Enable natd (if firewall_enable == YES).
 natd_interface="fxp0"           # Public interface or IPaddress to use.
 natd_flags=""                   # Additional flags for natd.
 ipfilter_enable="NO"		# Set to YES to enable ipfilter functionality
-ipfilter_program="/sbin/ipf -Fa -f"
-				# program and how to specify the rules file,
-				# see /etc/rc.network (pass1) for details
+ipfilter_program="/sbin/ipf"	# where the ipfilter program lives
 ipfilter_rules="/etc/ipf.rules"	# rules definition file for ipfilter, see
 				# /usr/src/contrib/ipfilter/rules for examples
-ipfilter_flags="-E"		# should be *empty* when ipf is _not_ a module
-				# (i.e. compiled into the kernel) to
-				# avoid a warning about "already initialized"
-ipnat_enable="NO"		# Set to YES for ipnat; needs ipfilter, too!
-ipnat_program="/sbin/ipnat -CF -f" # program and how to specify rules file
+ipfilter_flags=""		# additional flags for ipfilter
+ipnat_enable="NO"		# Set to YES to enable ipnat functionality
+ipnat_program="/sbin/ipnat"	# where the ipnat program lives
 ipnat_rules="/etc/ipnat.rules"	# rules definition file for ipnat
 ipnat_flags=""			# additional flags for ipnat
+ipmon_enable="NO"		# Set to YES for ipmon; needs ipfilter or ipnat
+ipmon_program="/sbin/ipmon"	# where the ipfilter monitor program lives
+ipmon_flags="-Ds"		# typically "-Ds" or "-D /var/log/ipflog"
 ipfs_enable="NO"		# Set to YES to enable saving and restoring 
 				# of state tables at shutdown and boot
-ipfs_flags=""			# additional flags for ipfs
 ipfs_program="/sbin/ipfs"	# where the ipfs program lives
-ipmon_enable="NO"		# Set to YES for ipmon; needs ipfilter, too!
-ipmon_program="/sbin/ipmon"	# where the ipfilter monitor program lives
-ipmon_flags="-Ds"		# typically "-Ds" or "-D /var/log/ipflog"
+ipfs_flags=""			# additional flags for ipfs
 tcp_extensions="YES"		# Set to NO to turn off RFC1323 extensions.
 log_in_vain="NO"		# YES to log connects to ports w/o listeners.
 tcp_keepalive="YES"		# Enable stale TCP connection timeout (or NO).
diff --git a/etc/rc.shutdown b/etc/rc.shutdown
index 3984f68..f6c59c9 100644
--- a/etc/rc.shutdown
+++ b/etc/rc.shutdown
@@ -124,18 +124,18 @@ case ${local_startup} in
 	;;
 esac
 
-# Save IP Filter state tables
+# Insert other shutdown procedures here
+
+# Saving firewall state tables should be done last
+echo -n 'Saving firewall state tables:'
 
+# Save IP-filter state tables
 case ${ipfs_enable} in
 [Yy][Ee][Ss])
-	echo -n 'Saving IP Filter state tables:'
-	eval ${ipfs_program:-/sbin/ipfs -W} ${ipfs_flags}
+	echo -n ' ipfs'
+	${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags}
 	;;
 esac
 
-echo .
-
-# Insert other shutdown procedures here
-
 echo '.'
 exit 0