From c1bc6d5ff2aff59291a31bebffdb96be391e0012 Mon Sep 17 00:00:00 2001
From: mux <mux@FreeBSD.org>
Date: Sat, 27 Sep 2003 13:50:47 +0000
Subject: A number of fixes/enhancements for the ipfilter rc script: - Use a
 more robust check to determine if we need to load ipl.ko. - Don't try to run
 ipf -E if ipfilter is already enabled.  Look at   the net.inet.ipf.fr_running
 sysctl to figure this out.  This fixes   a warning message about ipfilter
 being already initialized. - Only one ipf -E command is needed.  We don't
 need an extra one for   the -6 case which would only print a warning message
 about ipfilter   being already initialized. - Fix one occurence where we were
 running /sbin/ipf directly without   using the ${ipfilter_program} variable
 if set. - In ipfilter_stop(), don't try to save the firewall state tables if 
  ipfilter is disabled.  Similarly, don't try to disable it if it's   already
 disabled.  This fixes some more error messages.

---
 etc/rc.d/ipfilter | 37 ++++++++++++++++++++++---------------
 1 file changed, 22 insertions(+), 15 deletions(-)

(limited to 'etc')

diff --git a/etc/rc.d/ipfilter b/etc/rc.d/ipfilter
index 021f331..f6dab79 100755
--- a/etc/rc.d/ipfilter
+++ b/etc/rc.d/ipfilter
@@ -40,7 +40,7 @@ ipfilter_prestart()
 case ${OSTYPE} in
 FreeBSD)
 	# load ipfilter kernel module if needed
-	if ! sysctl net.inet.ipf.fr_pass > /dev/null 2>&1; then
+	if ! kldstat -v | grep "IP Filter" > /dev/null 2>&1; then
 		if kldload ipl; then
 			info 'IP-filter module loaded.'
 		else
@@ -79,12 +79,15 @@ ipfilter_start()
 	echo "Enabling ipfilter."
 	case ${OSTYPE} in
 	FreeBSD)
-		${ipfilter_program:-/sbin/ipf} -EFa
+		if [ `sysctl -n net.inet.ipf.fr_running` -eq 0 ]; then
+			${ipfilter_program:-/sbin/ipf} -E
+		fi 
+		${ipfilter_program:-/sbin/ipf} -Fa
 		if [ -r "${ipfilter_rules}" ]; then
 			${ipfilter_program:-/sbin/ipf} \
 			    -f "${ipfilter_rules}" ${ipfilter_flags}
 		fi
-		${ipfilter_program:-/sbin/ipf} -6 -EFa
+		${ipfilter_program:-/sbin/ipf} -6 -Fa
 		if [ -r "${ipv6_ipfilter_rules}" ]; then
 			${ipfilter_program:-/sbin/ipf} -6 \
 			    -f "${ipv6_ipfilter_rules}" ${ipfilter_flags}
@@ -104,17 +107,21 @@ ipfilter_start()
 
 ipfilter_stop()
 {
-	case ${OSTYPE} in
-	FreeBSD)
-		echo "Saving firewall state tables"
-		${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags}
-		;;
-	NetBSD)
-		;;
-	esac
-	# XXX - The following command is not effective for 'lkm's
-	echo "Disabling ipfilter."
-	/sbin/ipf -D
+	# XXX - The ipf -D command is not effective for 'lkm's
+	if [ `sysctl -n net.inet.ipf.fr_running` -eq 1 ]; then
+		case ${OSTYPE} in
+		FreeBSD)
+			echo "Saving firewall state tables"
+			${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags}
+			echo "Disabling ipfilter."
+			${ipfilter_program:-/sbin/ipf} -D
+			;;
+		NetBSD)
+			echo "Disabling ipfilter."
+			/sbin/ipf -D
+			;;
+		esac
+	fi
 }
 
 ipfilter_reload()
@@ -157,7 +164,7 @@ ipfilter_resync()
 	case ${OSTYPE} in
 	FreeBSD)
 		# Don't resync if ipfilter is not loaded
-		[ sysctl net.inet.ipf.fr_pass > /dev/null 2>&1 ] && return
+		[ kldstat -v | grep "IP Filter" > /dev/null 2>&1 ] && return
 		;;
 	esac
 	${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags}
-- 
cgit v1.1