diff options
| author | mux <mux@FreeBSD.org> | 2003-09-27 13:50:47 +0000 |
|---|---|---|
| committer | mux <mux@FreeBSD.org> | 2003-09-27 13:50:47 +0000 |
| commit | c1bc6d5ff2aff59291a31bebffdb96be391e0012 (patch) | |
| tree | 2f051a22a58c633eb7274fdd21fd3a140e8073fd /etc | |
| parent | 74c6dfd454b675b7406058908d5bdcdcaa40be38 (diff) | |
| download | FreeBSD-src-c1bc6d5ff2aff59291a31bebffdb96be391e0012.zip FreeBSD-src-c1bc6d5ff2aff59291a31bebffdb96be391e0012.tar.gz | |
A number of fixes/enhancements for the ipfilter rc script:
- Use a more robust check to determine if we need to load ipl.ko.
- Don't try to run ipf -E if ipfilter is already enabled. Look at
the net.inet.ipf.fr_running sysctl to figure this out. This fixes
a warning message about ipfilter being already initialized.
- Only one ipf -E command is needed. We don't need an extra one for
the -6 case which would only print a warning message about ipfilter
being already initialized.
- Fix one occurence where we were running /sbin/ipf directly without
using the ${ipfilter_program} variable if set.
- In ipfilter_stop(), don't try to save the firewall state tables if
ipfilter is disabled. Similarly, don't try to disable it if it's
already disabled. This fixes some more error messages.
Diffstat (limited to 'etc')
| -rwxr-xr-x | etc/rc.d/ipfilter | 37 |
1 files changed, 22 insertions, 15 deletions
diff --git a/etc/rc.d/ipfilter b/etc/rc.d/ipfilter index 021f331..f6dab79 100755 --- a/etc/rc.d/ipfilter +++ b/etc/rc.d/ipfilter @@ -40,7 +40,7 @@ ipfilter_prestart() case ${OSTYPE} in FreeBSD) # load ipfilter kernel module if needed - if ! sysctl net.inet.ipf.fr_pass > /dev/null 2>&1; then + if ! kldstat -v | grep "IP Filter" > /dev/null 2>&1; then if kldload ipl; then info 'IP-filter module loaded.' else @@ -79,12 +79,15 @@ ipfilter_start() echo "Enabling ipfilter." case ${OSTYPE} in FreeBSD) - ${ipfilter_program:-/sbin/ipf} -EFa + if [ `sysctl -n net.inet.ipf.fr_running` -eq 0 ]; then + ${ipfilter_program:-/sbin/ipf} -E + fi + ${ipfilter_program:-/sbin/ipf} -Fa if [ -r "${ipfilter_rules}" ]; then ${ipfilter_program:-/sbin/ipf} \ -f "${ipfilter_rules}" ${ipfilter_flags} fi - ${ipfilter_program:-/sbin/ipf} -6 -EFa + ${ipfilter_program:-/sbin/ipf} -6 -Fa if [ -r "${ipv6_ipfilter_rules}" ]; then ${ipfilter_program:-/sbin/ipf} -6 \ -f "${ipv6_ipfilter_rules}" ${ipfilter_flags} @@ -104,17 +107,21 @@ ipfilter_start() ipfilter_stop() { - case ${OSTYPE} in - FreeBSD) - echo "Saving firewall state tables" - ${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags} - ;; - NetBSD) - ;; - esac - # XXX - The following command is not effective for 'lkm's - echo "Disabling ipfilter." - /sbin/ipf -D + # XXX - The ipf -D command is not effective for 'lkm's + if [ `sysctl -n net.inet.ipf.fr_running` -eq 1 ]; then + case ${OSTYPE} in + FreeBSD) + echo "Saving firewall state tables" + ${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags} + echo "Disabling ipfilter." + ${ipfilter_program:-/sbin/ipf} -D + ;; + NetBSD) + echo "Disabling ipfilter." + /sbin/ipf -D + ;; + esac + fi } ipfilter_reload() @@ -157,7 +164,7 @@ ipfilter_resync() case ${OSTYPE} in FreeBSD) # Don't resync if ipfilter is not loaded - [ sysctl net.inet.ipf.fr_pass > /dev/null 2>&1 ] && return + [ kldstat -v | grep "IP Filter" > /dev/null 2>&1 ] && return ;; esac ${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} |
