Add rc.d script to start pflogd and add rcvars etc. Also document vars in

rc.conf(5) and put a sample entry to newsyslog.conf

Reviewed by:	-current
Approved by:	bms(mentor)

5 files changed, 93 insertions, 2 deletions

diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf
index b608858..0e5f10b 100644
--- a/etc/defaults/rc.conf
+++ b/etc/defaults/rc.conf
@@ -107,6 +107,10 @@ pf_enable="NO"			# Set to YES to enable packet filter (pf)
 pf_rules="/etc/pf.conf"		# rules definition file for pf
 pf_program="/sbin/pfctl"	# where the pfctl program lives
 pf_flags=""			# additional flags for pfctl
+pflog_enable="NO"		# Set to YES to enable packet filter logging
+pflog_logfile="/var/log/pflog"	# where pflogd shoule store the logfile
+pflog_program="/sbin/pflogd"	# where the pflogd program lives
+pflog_flags=""			# additional flags for pflogd
 tcp_extensions="YES"		# Set to NO to turn off RFC1323 extensions.
 log_in_vain="0"			# >=1 to log connects to ports w/o listeners.
 tcp_keepalive="YES"		# Enable stale TCP connection timeout (or NO).
diff --git a/etc/newsyslog.conf b/etc/newsyslog.conf
index c5b65d8..75ba197 100644
--- a/etc/newsyslog.conf
+++ b/etc/newsyslog.conf
@@ -36,3 +36,5 @@
 /var/log/weekly.log			640  5	   1	$W6D0 JN
 /var/log/wtmp				644  3	   *	@01T05 B
 /var/log/xferlog			600  7	   100	*     J
+# pflogd sample entry
+#/var/log/pflog				600  3	   100	*     JB    /var/run/pflogd.pid
diff --git a/etc/rc.d/Makefile b/etc/rc.d/Makefile
index 2e087a8..852cf12 100755
--- a/etc/rc.d/Makefile
+++ b/etc/rc.d/Makefile
@@ -25,7 +25,7 @@ FILES=	DAEMON LOGIN NETWORKING SERVERS \
 	network_ipv6 nfsclient nfsd \
 	nfslocking nfsserver nisdomain ntpd ntpdate \
 	othermta \
-	pccard pcvt pf power_profile ppp-user pppoed pwcheck \
+	pccard pcvt pf pflog power_profile ppp-user pppoed pwcheck \
 	quota \
 	random rarpd rcconf.sh resolv root \
 	route6d routed routing rpcbind rtadvd rwho \
diff --git a/etc/rc.d/pf b/etc/rc.d/pf
index f8fabd0..c2f387b 100644
--- a/etc/rc.d/pf
+++ b/etc/rc.d/pf
@@ -4,7 +4,7 @@
 #
 
 # PROVIDE: pf
-# REQUIRE: root beforenetlkm mountcritlocal netif
+# REQUIRE: root beforenetlkm mountcritlocal netif pflog
 # BEFORE:  DAEMON LOGIN
 # KEYWORD: FreeBSD nojail
 
diff --git a/etc/rc.d/pflog b/etc/rc.d/pflog
new file mode 100644
index 0000000..3a40525
--- /dev/null
+++ b/etc/rc.d/pflog
@@ -0,0 +1,85 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+# PROVIDE: pflog
+# REQUIRE: root beforenetlkm mountcritlocal netif
+# BEFORE:  DAEMON LOGIN
+# KEYWORD: FreeBSD nojail
+
+. /etc/rc.subr
+
+name="pflog"
+rcvar=`set_rcvar`
+load_rc_config $name
+stop_precmd="test -x ${pflog_program}"
+start_precmd="pflog_prestart"
+start_cmd="pflog_start"
+stop_cmd="pflog_stop"
+resync_precmd="$stop_precmd"
+resync_cmd="pflog_resync"
+status_precmd="$stop_precmd"
+status_cmd="pflog_status"
+extra_commands="resync status"
+
+pflog_prestart()
+{
+	# load pflog kernel module if needed
+	if ! kldstat -v | grep -q pflog\$; then
+		if kldload pflog; then
+			info 'pflog module loaded.'
+		else
+			err 1 'pflog module failed to load.'
+		fi
+	fi
+
+	# set pflog0 interface to up state
+	if ! ifconfig pflog0 up; then
+		warn 'pflog: COULD NOT SET UP pflog0'
+	fi
+
+	# check for pf rules
+	if [ ! -x "${pflog_program:-/sbin/pflogd}" ]
+	then
+		warn 'pflog: NO PFLOGD BINARY FOUND'
+		return 1
+	fi
+}
+
+pflog_start()
+{
+	echo -n "Enabling pflogd"
+	if ! ${pflog_program:-/sbin/pflogd} ${pflog_flags} \
+	    -f ${pflog_logfile:-/var/log/pflog}; then
+		echo " failed!"
+	else
+		echo "."
+	fi
+}
+
+pflog_stop()
+{
+	if [ -r /var/run/pflogd.pid ]; then
+		echo "Stopping pflogd."
+		kill `cat /var/run/pflogd.pid`
+	fi
+}
+
+pflog_resync()
+{
+	if [ -r /var/run/pflogd.pid ]; then
+		kill -SIGHUP `cat /var/run/pflogd.pid`
+	fi
+}
+
+pflog_status()
+{
+	if [ -r /var/run/pflogd.pid ]; then
+		ps -p `cat /var/run/pflogd.pid` | tail -n 1
+	else
+		echo 'pflogd not running.'
+	fi
+}
+
+run_rc_command "$1"