diff options
| -rw-r--r-- | contrib/pf/man/pfsync.4 | 23 | ||||
| -rw-r--r-- | etc/defaults/rc.conf | 3 | ||||
| -rwxr-xr-x | etc/rc.d/Makefile | 2 | ||||
| -rw-r--r-- | etc/rc.d/pfsync | 53 | ||||
| -rw-r--r-- | share/man/man5/rc.conf.5 | 33 |
5 files changed, 111 insertions, 3 deletions
diff --git a/contrib/pf/man/pfsync.4 b/contrib/pf/man/pfsync.4 index 10fc5a6..abc81af 100644 --- a/contrib/pf/man/pfsync.4 +++ b/contrib/pf/man/pfsync.4 @@ -129,7 +129,25 @@ dedicated to pfsync messages such as a crossover cable between two firewalls, or specify a peer address and protect the traffic with .Xr ipsec 4 . .Pp +For +.Nm +to start its operation automatically at the system boot time, +.Va pfsync_enable +and +.Va pfsync_syncdev +variables should be used in +.Xr rc.conf 5 . +It is not advisable to set up +.Nm +with common network interface configuration variables of +.Xr rc.conf 5 +because +.Nm +must start after its +.Cm syncdev , +which cannot be always ensured in the latter case. .\" XXX: not yet! +.\" .Pp .\" There is a one-to-one correspondence between packets seen by .\" .Xr bpf 4 .\" on the @@ -167,14 +185,15 @@ indicated): Interfaces configuration in .Pa /etc/rc.conf : .Bd -literal -offset indent +network_interfaces="lo0 sis0 sis1 sis2" cloned_interfaces="carp0 carp1" -network_interfaces="lo0 sis0 sis1 sis2 carp0 carp1 pfsync0" ifconfig_sis0="10.0.0.254/24" ifconfig_sis1="192.168.0.254/24" ifconfig_sis2="192.168.254.254/24" ifconfig_carp0="vhid 1 pass foo 10.0.0.1/24" ifconfig_carp1="vhid 2 pass bar 192.168.0.1/24" -ifconfig_pfsync0="up syncif sis2" +pfsync_enable="YES" +pfsync_syncdev="sis2" .Ed .Pp .Xr pf 4 diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index 34b1add..1385061 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -135,6 +135,9 @@ pflog_enable="NO" # Set to YES to enable packet filter logging pflog_logfile="/var/log/pflog" # where pflogd should store the logfile pflog_program="/sbin/pflogd" # where the pflogd program lives pflog_flags="" # additional flags for pflogd +pfsync_enable="NO" # Expose pf state to other hosts for syncing +pfsync_syncdev="" # Interface for pfsync to work through +pfsync_ifconfig="" # Additional options to ifconfig(8) for pfsync tcp_extensions="YES" # Set to NO to turn off RFC1323 extensions. log_in_vain="0" # >=1 to log connects to ports w/o listeners. tcp_keepalive="YES" # Enable stale TCP connection timeout (or NO). diff --git a/etc/rc.d/Makefile b/etc/rc.d/Makefile index 7437455..e0ba8e5 100755 --- a/etc/rc.d/Makefile +++ b/etc/rc.d/Makefile @@ -25,7 +25,7 @@ FILES= DAEMON LOGIN NETWORKING SERVERS \ network_ipv6 newsyslog nfsclient nfsd \ nfslocking nfsserver nisdomain nsswitch ntpd ntpdate \ othermta \ - pccard pcvt pf pflog \ + pccard pcvt pf pflog pfsync \ powerd power_profile ppp-user pppoed pwcheck \ quota \ ramdisk ramdisk-own random rarpd rcconf.sh resolv root \ diff --git a/etc/rc.d/pfsync b/etc/rc.d/pfsync new file mode 100644 index 0000000..8d49042 --- /dev/null +++ b/etc/rc.d/pfsync @@ -0,0 +1,53 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# PROVIDE: pfsync +# REQUIRE: root mountcritlocal netif +# KEYWORD: nojail + +. /etc/rc.subr + +name="pfsync" +rcvar=`set_rcvar` +start_precmd="pfsync_prestart" +start_cmd="pfsync_start" +stop_cmd="pfsync_stop" + +pfsync_prestart() +{ + case "$pfsync_syncdev" in + '') + warn "pfsync_syncdev is not set." + return 1 + ;; + esac + + # load pf kernel module if needed + if ! kldstat -q -m pf ; then + if kldload pf ; then + info "pf module loaded." + else + warn "pf module failed to load." + return 1 + fi + fi + + return 0 +} + +pfsync_start() +{ + echo "Enabling pfsync." + ifconfig pfsync0 syncdev $pfsync_syncdev $pfsync_ifconfig up +} + +pfsync_stop() +{ + echo "Disabling pfsync." + ifconfig pfsync0 -syncdev down +} + +load_rc_config $name +run_rc_command "$1" diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5 index cb4b0a3..93862ed 100644 --- a/share/man/man5/rc.conf.5 +++ b/share/man/man5/rc.conf.5 @@ -785,6 +785,38 @@ Empty by default. This variable contains additional flags passed to the .Xr pflogd 8 program. +.It Va pfsync_enable +.Pq Vt bool +Set to +.Dq Li NO +by default. +Setting this to +.Dq Li YES +enables exposing +.Xr pf 4 +state changes to other hosts over the network by means of +.Xr pfsync 4 . +The +.Va pfsync_syncdev +variable +must also be set then. +.It Va pfsync_syncdev +.Pq Vt str +Empty by default. +This variable specifies the name of the network interface +.Xr pfsync 4 +should operate through. +It must be set accordingly if +.Va pfsync_enable +is set to +.Dq Li YES . +.It Va pfsync_ifconfig +.Pq Vt str +Empty by default. +This variable can contain additional options to be passed to the +.Xr ifconfig 8 +command used to set up +.Xr pfsync 4 . .It Va tcp_extensions .Pq Vt bool Set to @@ -3323,6 +3355,7 @@ device and the mount point will be changed. .Xr kld 4 , .Xr pf 4 , .Xr pflog 4 , +.Xr pfsync 4 , .Xr tcp 4 , .Xr udp 4 , .Xr exports 5 , |
