etc/rc.d/ipfilter

   1 #!/bin/sh
   2 #
   3 # $NetBSD: ipfilter,v 1.10 2001/02/28 17:03:50 lukem Exp $
   4 # $FreeBSD: src/etc/rc.d/ipfilter,v 1.10 2003/04/30 02:54:17 mtm Exp $
   5 # $DragonFly: src/etc/rc.d/ipfilter,v 1.1 2003/07/24 06:35:37 dillon Exp $
   6 #
   7
   8 # PROVIDE: ipfilter
   9 # REQUIRE: root beforenetlkm mountcritlocal tty ipmon
  10 # BEFORE:  netif
  11 # KEYWORD: DragonFly FreeBSD NetBSD
  12
  13 . /etc/rc.subr
  14
  15 name="ipfilter"
  16 rcvar=`set_rcvar`
  17 load_rc_config $name
  18
  19 case ${OSTYPE} in
  20 DragonFly)
  21         stop_precmd="test -f ${ipfilter_rules} -o -f ${ipv6_ipfilter_rules}"
  22         ;;
  23
  24 FreeBSD)
  25         stop_precmd="test -f ${ipfilter_rules} -o -f ${ipv6_ipfilter_rules}"
  26         ;;
  27 NetBSD)
  28         stop_precmd="test -f /etc/ipf.conf -o -f /etc/ipf6.conf"
  29         ;;
  30 esac
  31
  32 start_precmd="ipfilter_prestart"
  33 start_cmd="ipfilter_start"
  34 stop_cmd="ipfilter_stop"
  35 reload_precmd="$stop_precmd"
  36 reload_cmd="ipfilter_reload"
  37 resync_precmd="$stop_precmd"
  38 resync_cmd="ipfilter_resync"
  39 status_precmd="$stop_precmd"
  40 status_cmd="ipfilter_status"
  41 extra_commands="reload resync status"
  42
  43 ipfilter_prestart()
  44 {
  45 case ${OSTYPE} in
  46 DragonFly)
  47          # load ipfilter kernel module if needed
  48         if ! sysctl net.inet.ipf.fr_pass > /dev/null 2>&1; then
  49                 if kldload ipl; then
  50                         info 'IP-filter module loaded.'
  51                 else
  52                         err 1 'IP-filter module failed to load.'
  53                 fi
  54         fi
  55         # check for ipfilter rules
  56         if [ ! -r "${ipfilter_rules}" ] && [ ! -r "${ipv6_ipfilter_rules}" ]
  57         then
  58                 warn 'IP-filter: NO IPF RULES'
  59                 return 1
  60         fi
  61         ;;
  62
  63 FreeBSD)
  64         # load ipfilter kernel module if needed
  65         if ! sysctl net.inet.ipf.fr_pass > /dev/null 2>&1; then
  66                 if kldload ipl; then
  67                         info 'IP-filter module loaded.'
  68                 else
  69                         err 1 'IP-filter module failed to load.'
  70                 fi
  71         fi
  72
  73         # check for ipfilter rules
  74         if [ ! -r "${ipfilter_rules}" ] && [ ! -r "${ipv6_ipfilter_rules}" ]
  75         then
  76                 warn 'IP-filter: NO IPF RULES'
  77                 return 1
  78         fi
  79         ;;
  80 NetBSD)
  81         if [ ! -f /etc/ipf.conf ] && [ ! -f /etc/ipf6.conf ]; then
  82                 warn "/etc/ipf*.conf not readable; ipfilter start aborted."
  83                         #
  84                         # If booting directly to multiuser, send SIGTERM to
  85                         # the parent (/etc/rc) to abort the boot
  86                         #
  87                 if [ "$autoboot" = yes ]; then
  88                         echo "ERROR: ABORTING BOOT (sending SIGTERM to parent)!"
  89                         kill -TERM $$
  90                         exit 1
  91                 fi
  92                 return 1
  93         fi
  94         ;;
  95 esac
  96         return 0
  97 }
  98
  99 ipfilter_start()
 100 {
 101         echo "Enabling ipfilter."
 102         case ${OSTYPE} in
 103         DragonFly)
 104                  ${ipfilter_program:-/sbin/ipf} -EFa
 105                 if [ -r "${ipfilter_rules}" ]; then
 106                         ${ipfilter_program:-/sbin/ipf} \
 107                             -f "${ipfilter_rules}" ${ipfilter_flags}
 108                 fi
 109                 ${ipfilter_program:-/sbin/ipf} -6 -EFa
 110                 if [ -r "${ipv6_ipfilter_rules}" ]; then
 111                         ${ipfilter_program:-/sbin/ipf} -6 \
 112                             -f "${ipv6_ipfilter_rules}" ${ipfilter_flags}
 113                 fi
 114                 ;;
 115
 116         FreeBSD)
 117                 ${ipfilter_program:-/sbin/ipf} -EFa
 118                 if [ -r "${ipfilter_rules}" ]; then
 119                         ${ipfilter_program:-/sbin/ipf} \
 120                             -f "${ipfilter_rules}" ${ipfilter_flags}
 121                 fi
 122                 ${ipfilter_program:-/sbin/ipf} -6 -EFa
 123                 if [ -r "${ipv6_ipfilter_rules}" ]; then
 124                         ${ipfilter_program:-/sbin/ipf} -6 \
 125                             -f "${ipv6_ipfilter_rules}" ${ipfilter_flags}
 126                 fi
 127                 ;;
 128         NetBSD)
 129                 /sbin/ipf -E -Fa
 130                 if [ -f /etc/ipf.conf ]; then
 131                         /sbin/ipf -f /etc/ipf.conf
 132                 fi
 133                 if [ -f /etc/ipf6.conf ]; then
 134                         /sbin/ipf -6 -f /etc/ipf6.conf
 135                 fi
 136                 ;;
 137         esac
 138 }
 139
 140 ipfilter_stop()
 141 {
 142         case ${OSTYPE} in
 143         DragonFly)
 144                 echo "Saving firewall state tables"
 145                 ${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags}
 146                 ;;
 147         FreeBSD)
 148                 echo "Saving firewall state tables"
 149                 ${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags}
 150                 ;;
 151         NetBSD)
 152                 ;;
 153         esac
 154         # XXX - The following command is not effective for 'lkm's
 155         echo "Disabling ipfilter."
 156         /sbin/ipf -D
 157 }
 158
 159 ipfilter_reload()
 160 {
 161         echo "Reloading ipfilter rules."
 162
 163         case ${OSTYPE} in
 164         DragonFly)
 165                  ${ipfilter_program:-/sbin/ipf} -I -Fa
 166                 if [ -r "${ipfilter_rules}" ]; then
 167                         ${ipfilter_program:-/sbin/ipf} -I \
 168                             -f "${ipfilter_rules}" ${ipfilter_flags}
 169                 fi
 170                 ${ipfilter_program:-/sbin/ipf} -I -6 -Fa
 171                 if [ -r "${ipv6_ipfilter_rules}" ]; then
 172                         ${ipfilter_program:-/sbin/ipf} -I -6 \
 173                             -f "${ipv6_ipfilter_rules}" ${ipfilter_flags}
 174                 fi
 175                 ${ipfilter_program:-/sbin/ipf} -s
 176                 ;;
 177         FreeBSD)
 178                 ${ipfilter_program:-/sbin/ipf} -I -Fa
 179                 if [ -r "${ipfilter_rules}" ]; then
 180                         ${ipfilter_program:-/sbin/ipf} -I \
 181                             -f "${ipfilter_rules}" ${ipfilter_flags}
 182                 fi
 183                 ${ipfilter_program:-/sbin/ipf} -I -6 -Fa
 184                 if [ -r "${ipv6_ipfilter_rules}" ]; then
 185                         ${ipfilter_program:-/sbin/ipf} -I -6 \
 186                             -f "${ipv6_ipfilter_rules}" ${ipfilter_flags}
 187                 fi
 188                 ${ipfilter_program:-/sbin/ipf} -s
 189                 ;;
 190         NetBSD)
 191                 /sbin/ipf -I -Fa
 192                 if [ -f /etc/ipf.conf ] && ! /sbin/ipf -I -f /etc/ipf.conf; then
 193                         err 1 "reload of ipf.conf failed; not swapping to" \
 194                             " new ruleset."
 195                 fi
 196                 if [ -f /etc/ipf6.conf ] && \
 197                     ! /sbin/ipf -I -6 -f /etc/ipf6.conf; then
 198                         err 1 "reload of ipf6.conf failed; not swapping to" \
 199                             " new ruleset."
 200                 fi
 201                 /sbin/ipf -s
 202                 ;;
 203         esac
 204
 205 }
 206
 207 ipfilter_resync()
 208 {
 209         case ${OSTYPE} in
 210         DragonFly)
 211                 # Don't resync if ipfilter is not loaded
 212                 [ sysctl net.inet.ipf.fr_pass > /dev/null 2>&1 ] && return
 213                 ;;
 214         FreeBSD)
 215                 # Don't resync if ipfilter is not loaded
 216                 [ sysctl net.inet.ipf.fr_pass > /dev/null 2>&1 ] && return
 217                 ;;
 218         esac
 219         ${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags}
 220 }
 221
 222 ipfilter_status()
 223 {
 224         ${ipfilter_program:-/sbin/ipf} -V
 225 }
 226
 227 run_rc_command "$1"