#!/bin/sh
#
# $FreeBSD: src/etc/rc.d/ipfw,v 1.4 2003/03/30 15:52:18 mtm Exp $
# $DragonFly: src/etc/rc.d/ipfw,v 1.4 2008/07/06 23:55:51 thomas Exp $
#

# PROVIDE: ipfw
# REQUIRE: ppp-user
# BEFORE: NETWORKING

. /etc/rc.subr

name="ipfw"
rcvar="firewall_enable"
start_cmd="ipfw_start"
start_precmd="ipfw_precmd"
stop_cmd="ipfw_stop"

ipfw_precmd()
{
	if ! ${SYSCTL} net.inet.ip.fw.enable > /dev/null 2>&1; then
		if ! kldload ipfw; then
			warn "unable to load ipfw firewall module."
			return 1
		fi
	fi

	return 0
}

ipfw_start()
{
	# set the firewall rules script if none was specified
	[ -z "${firewall_script}" ] && firewall_script=/etc/rc.firewall

	if [ -r "${firewall_script}" ]; then
		. "${firewall_script}"
		echo -n 'Firewall rules loaded, starting divert daemons:'

		# Network Address Translation daemon
		#
		if checkyesno natd_enable; then
			if [ -n "${natd_interface}" ]; then
				if echo ${natd_interface} | \
				grep -q -E '^[0-9]+(\.[0-9]+){0,3}$'; then
					natd_flags="$natd_flags -a ${natd_interface}"
				else
					natd_flags="$natd_flags -n ${natd_interface}"
				fi
			fi
			echo -n ' natd'
			${natd_program:-/sbin/natd} ${natd_flags} ${natd_ifarg}
		fi
	elif [ "`ipfw l 65535`" = "65535 deny ip from any to any" ]; then
		echo 'Warning: kernel has firewall functionality, but' \
		    ' firewall rules are not enabled.'
		echo '           All ip services are disabled.'
	fi
	echo '.'

	# Firewall logging
	#
	if checkyesno firewall_logging; then
		echo 'Firewall logging enabled'
		sysctl net.inet.ip.fw.verbose=1 >/dev/null
	fi

	# Enable the firewall
	#
	${SYSCTL_W} net.inet.ip.fw.enable=1
}

ipfw_stop()
{
	# Disable the firewall
	#
	${SYSCTL_W} net.inet.ip.fw.enable=0
}

load_rc_config $name
run_rc_command "$1"