Improve the IPFilter rc.d file, mainly bring it in line with changes
authorHiten Pandya <hmp@dragonflybsd.org>
Fri, 25 Feb 2005 18:14:38 +0000 (18:14 +0000)
committerHiten Pandya <hmp@dragonflybsd.org>
Fri, 25 Feb 2005 18:14:38 +0000 (18:14 +0000)
made in FreeBSD.

Obtained-from:   FreeBSD
Tested-by: Janet Sullivan <ciscogeek at bgp4.net>
etc/rc.d/ipfilter

index 6eb806c..8d4fcee 100644 (file)
@@ -2,21 +2,20 @@
 #
 # $NetBSD: ipfilter,v 1.10 2001/02/28 17:03:50 lukem Exp $
 # $FreeBSD: src/etc/rc.d/ipfilter,v 1.10 2003/04/30 02:54:17 mtm Exp $
-# $DragonFly: src/etc/rc.d/ipfilter,v 1.3 2004/01/26 17:21:15 rob Exp $
+# $DragonFly: src/etc/rc.d/ipfilter,v 1.4 2005/02/25 18:14:38 hmp Exp $
 #
 
 # PROVIDE: ipfilter
 # REQUIRE: root beforenetlkm mountcritlocal tty ipmon
 # BEFORE:  netif
-# KEYWORD: DragonFly
+# KEYWORD: DragonFly nojail
 
 . /etc/rc.subr
 
 name="ipfilter"
 rcvar=`set_rcvar`
 load_rc_config $name
-
-       stop_precmd="test -f ${ipfilter_rules} -o -f ${ipv6_ipfilter_rules}"
+stop_precmd="test -f ${ipfilter_rules} -o -f ${ipv6_ipfilter_rules}"
 
 start_precmd="ipfilter_prestart"
 start_cmd="ipfilter_start"
@@ -29,16 +28,26 @@ status_precmd="$stop_precmd"
 status_cmd="ipfilter_status"
 extra_commands="reload resync status"
 
+ipfilter_loaded()
+{
+       if ! kldstat -v | grep "IP Filter" > /dev/null 2>&1; then
+               return 1
+       else
+               return 0
+       fi
+}
+
 ipfilter_prestart()
 {
-        # load ipfilter kernel module if needed
-       if ! sysctl net.inet.ipf.fr_pass > /dev/null 2>&1; then
+       # load ipfilter kernel module if needed
+       if ! ipfilter_loaded; then
                if kldload ipl; then
                        info 'IP-filter module loaded.'
                else
                        err 1 'IP-filter module failed to load.'
                fi
        fi
+
        # check for ipfilter rules
        if [ ! -r "${ipfilter_rules}" ] && [ ! -r "${ipv6_ipfilter_rules}" ]
        then
@@ -51,50 +60,56 @@ ipfilter_prestart()
 ipfilter_start()
 {
        echo "Enabling ipfilter."
-               ${ipfilter_program:-/sbin/ipf} -EFa
-               if [ -r "${ipfilter_rules}" ]; then
-                       ${ipfilter_program:-/sbin/ipf} \
-                       -f "${ipfilter_rules}" ${ipfilter_flags}
-               fi
-               ${ipfilter_program:-/sbin/ipf} -6 -EFa
-               if [ -r "${ipv6_ipfilter_rules}" ]; then
-                       ${ipfilter_program:-/sbin/ipf} -6 \
-                       -f "${ipv6_ipfilter_rules}" ${ipfilter_flags}
-               fi
+       if [ `sysctl -n net.inet.ipf.fr_running` -eq 0 ]; then
+               ${ipfilter_program:-/sbin/ipf} -E
+       fi
+       ${ipfilter_program:-/sbin/ipf} -Fa
+       if [ -r "${ipfilter_rules}" ]; then
+               ${ipfilter_program:-/sbin/ipf} \
+                   -f "${ipfilter_rules}" ${ipfilter_flags}
+       fi
+       ${ipfilter_program:-/sbin/ipf} -6 -Fa
+       if [ -r "${ipv6_ipfilter_rules}" ]; then
+               ${ipfilter_program:-/sbin/ipf} -6 \
+                   -f "${ipv6_ipfilter_rules}" ${ipfilter_flags}
+       fi
 }
 
 ipfilter_stop()
 {
+       # XXX - The ipf -D command is not effective for 'lkm's
+       if [ `sysctl -n net.inet.ipf.fr_running` -eq 1 ]; then
                echo "Saving firewall state tables"
                ${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags}
-       # XXX - The following command is not effective for 'lkm's
-       echo "Disabling ipfilter."
-       /sbin/ipf -D
+               echo "Disabling ipfilter."
+               ${ipfilter_program:-/sbin/ipf} -D
+       fi
 }
 
 ipfilter_reload()
 {
        echo "Reloading ipfilter rules."
 
-                ${ipfilter_program:-/sbin/ipf} -I -Fa
-               if [ -r "${ipfilter_rules}" ]; then
-                       ${ipfilter_program:-/sbin/ipf} -I \
-                       -f "${ipfilter_rules}" ${ipfilter_flags}
-               fi
-                       ${ipfilter_program:-/sbin/ipf} -I -6 -Fa
-                       if [ -r "${ipv6_ipfilter_rules}" ]; then
-                       ${ipfilter_program:-/sbin/ipf} -I -6 \
-                       -f "${ipv6_ipfilter_rules}" ${ipfilter_flags}
-               fi
-               ${ipfilter_program:-/sbin/ipf} -s
-               /sbin/ipf -s
+       ${ipfilter_program:-/sbin/ipf} -I -Fa
+       if [ -r "${ipfilter_rules}" ]; then
+               ${ipfilter_program:-/sbin/ipf} -I \
+                   -f "${ipfilter_rules}" ${ipfilter_flags}
+       fi
+       ${ipfilter_program:-/sbin/ipf} -I -6 -Fa
+       if [ -r "${ipv6_ipfilter_rules}" ]; then
+               ${ipfilter_program:-/sbin/ipf} -I -6 \
+                   -f "${ipv6_ipfilter_rules}" ${ipfilter_flags}
+       fi
+       ${ipfilter_program:-/sbin/ipf} -s
 
 }
 
 ipfilter_resync()
 {
-               # Don't resync if ipfilter is not loaded
-               [ sysctl net.inet.ipf.fr_pass > /dev/null 2>&1 ] && return
+       # Don't resync if ipfilter is not loaded
+       if ! ipfilter_loaded; then
+                return
+       fi
        ${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags}
 }