etc/rc.d/ipfilter

   1 #!/bin/sh
   2 #
   3 # $NetBSD: ipfilter,v 1.10 2001/02/28 17:03:50 lukem Exp $
   4 # $FreeBSD$
   5 #
   6
   7 # PROVIDE: ipfilter
   8 # REQUIRE: root mountcritlocal
   9 # BEFORE:  netif
  10 # KEYWORD: nojail
  11
  12 . /etc/rc.subr
  13
  14 name="ipfilter"
  15 rcvar=`set_rcvar`
  16 load_rc_config $name
  17 stop_precmd="test -f ${ipfilter_rules} -o -f ${ipv6_ipfilter_rules}"
  18
  19 start_precmd="ipfilter_prestart"
  20 start_cmd="ipfilter_start"
  21 stop_cmd="ipfilter_stop"
  22 reload_precmd="$stop_precmd"
  23 reload_cmd="ipfilter_reload"
  24 resync_precmd="$stop_precmd"
  25 resync_cmd="ipfilter_resync"
  26 status_precmd="$stop_precmd"
  27 status_cmd="ipfilter_status"
  28 extra_commands="reload resync status"
  29
  30 ipfilter_loaded()
  31 {
  32         if ! kldstat -v | grep "ipfilter$" > /dev/null 2>&1; then
  33                 return 1
  34         else
  35                 return 0
  36         fi
  37 }
  38
  39 ipfilter_prestart()
  40 {
  41         # load ipfilter kernel module if needed
  42         if ! ipfilter_loaded; then
  43                 if kldload ipl; then
  44                         info 'IP-filter module loaded.'
  45                 else
  46                         err 1 'IP-filter module failed to load.'
  47                 fi
  48         fi
  49
  50         # check for ipfilter rules
  51         if [ ! -r "${ipfilter_rules}" ] && [ ! -r "${ipv6_ipfilter_rules}" ]
  52         then
  53                 warn 'IP-filter: NO IPF RULES'
  54                 return 1
  55         fi
  56         return 0
  57 }
  58
  59 ipfilter_start()
  60 {
  61         echo "Enabling ipfilter."
  62         if [ `sysctl -n net.inet.ipf.fr_running` -le 0 ]; then
  63                 ${ipfilter_program:-/sbin/ipf} -E
  64         fi
  65         ${ipfilter_program:-/sbin/ipf} -Fa
  66         if [ -r "${ipfilter_rules}" ]; then
  67                 ${ipfilter_program:-/sbin/ipf} \
  68                     -f "${ipfilter_rules}" ${ipfilter_flags}
  69         fi
  70         ${ipfilter_program:-/sbin/ipf} -6 -Fa
  71         if [ -r "${ipv6_ipfilter_rules}" ]; then
  72                 ${ipfilter_program:-/sbin/ipf} -6 \
  73                     -f "${ipv6_ipfilter_rules}" ${ipfilter_flags}
  74         fi
  75 }
  76
  77 ipfilter_stop()
  78 {
  79         # XXX - The ipf -D command is not effective for 'lkm's
  80         if [ `sysctl -n net.inet.ipf.fr_running` -eq 1 ]; then
  81                 echo "Saving firewall state tables"
  82                 ${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags}
  83                 echo "Disabling ipfilter."
  84                 ${ipfilter_program:-/sbin/ipf} -D
  85         fi
  86 }
  87
  88 ipfilter_reload()
  89 {
  90         echo "Reloading ipfilter rules."
  91
  92         ${ipfilter_program:-/sbin/ipf} -I -Fa
  93         if [ -r "${ipfilter_rules}" ]; then
  94                 ${ipfilter_program:-/sbin/ipf} -I \
  95                     -f "${ipfilter_rules}" ${ipfilter_flags}
  96         fi
  97         ${ipfilter_program:-/sbin/ipf} -I -6 -Fa
  98         if [ -r "${ipv6_ipfilter_rules}" ]; then
  99                 ${ipfilter_program:-/sbin/ipf} -I -6 \
 100                     -f "${ipv6_ipfilter_rules}" ${ipfilter_flags}
 101         fi
 102         ${ipfilter_program:-/sbin/ipf} -s
 103
 104 }
 105
 106 ipfilter_resync()
 107 {
 108         # Don't resync if ipfilter is not loaded
 109         if ! ipfilter_loaded; then
 110                  return
 111         fi
 112         ${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags}
 113 }
 114
 115 ipfilter_status()
 116 {
 117         ${ipfilter_program:-/sbin/ipf} -V
 118 }
 119
 120 run_rc_command "$1"