#!/bin/sh # # $NetBSD: ipfilter,v 1.10 2001/02/28 17:03:50 lukem Exp $ # $FreeBSD$ # # PROVIDE: ipfilter # REQUIRE: root beforenetlkm mountcritlocal tty # KEYWORD: FreeBSD NetBSD . /etc/rc.subr name="ipfilter" rcvar=`set_rcvar` load_rc_config $name case ${OSTYPE} in FreeBSD) stop_precmd="test -f ${ipfilter_rules}" ;; NetBSD) stop_precmd="test -f /etc/ipf.conf -o -f /etc/ipf6.conf" ;; esac start_precmd="ipfilter_prestart" start_cmd="ipfilter_start" stop_cmd="ipfilter_stop" reload_precmd="$stop_precmd" reload_cmd="ipfilter_reload" resync_precmd="$stop_precmd" resync_cmd="ipfilter_resync" status_precmd="$stop_precmd" status_cmd="ipfilter_status" extra_commands="reload resync status" ipfilter_prestart() { case ${OSTYPE} in FreeBSD) # load ipfilter kernel module if needed if ! sysctl net.inet.ipf.fr_pass > /dev/null 2>&1; then if kldload ipl ; then echo 'IP-filter module loaded.' else warn 'IP-filter module failed to load.' return 1 fi fi # check for ipfilter rules if [ ! -r "${ipfilter_rules}" ]; then warn 'IP-filter: NO IPF RULES' return 1 fi ;; NetBSD) if [ ! -f /etc/ipf.conf ] && [ ! -f /etc/ipf6.conf ]; then warn "/etc/ipf*.conf not readable; ipfilter start aborted." # # If booting directly to multiuser, send SIGTERM to # the parent (/etc/rc) to abort the boot # if [ "$autoboot" = yes ]; then echo "ERROR: ABORTING BOOT (sending SIGTERM to parent)!" kill -TERM $$ exit 1 fi return 1 fi ;; esac return 0 } ipfilter_start() { echo "Enabling ipfilter." case ${OSTYPE} in FreeBSD) ${ipfilter_program:-/sbin/ipf} -Fa -f \ "${ipfilter_rules}" ${ipfilter_flags} ;; NetBSD) /sbin/ipf -E -Fa if [ -f /etc/ipf.conf ]; then /sbin/ipf -f /etc/ipf.conf fi if [ -f /etc/ipf6.conf ]; then /sbin/ipf -6 -f /etc/ipf6.conf fi ;; esac } ipfilter_stop() { case ${OSTYPE} in FreeBSD) echo "Saving firewall state tables" ${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags} ;; NetBSD) ;; esac # XXX - The following command is not effective for 'lkm's echo "Disabling ipfilter." /sbin/ipf -D } ipfilter_reload() { echo "Reloading ipfilter rules." case ${OSTYPE} in FreeBSD) ${ipfilter_program:-/sbin/ipf} -I -Fa -f \ "${ipfilter_rules}" ${ipfilter_flags} ;; NetBSD) /sbin/ipf -I -Fa if [ -f /etc/ipf.conf ] && ! /sbin/ipf -I -f /etc/ipf.conf; then err 1 "reload of ipf.conf failed; not swapping to" \ " new ruleset." fi if [ -f /etc/ipf6.conf ] && \ ! /sbin/ipf -I -6 -f /etc/ipf6.conf; then err 1 "reload of ipf6.conf failed; not swapping to" \ " new ruleset." fi /sbin/ipf -s ;; esac } ipfilter_resync() { case ${OSTYPE} in FreeBSD) # Don't resync if ipfilter is not loaded [ sysctl net.inet.ipf.fr_pass > /dev/null 2>&1 ] && return ;; esac ${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} } ipfilter_status() { ${ipfilter_program:-/sbin/ipf} -V } run_rc_command "$1"