mirror of
https://github.com/opnsense/src.git
synced 2026-02-12 23:36:07 -05:00
e3c46a3332
with theirs, so this information doesn't need to be in the live file. Having it in our CVS history is enough.
93 lines
2.1 KiB
Bash
Executable file
93 lines
2.1 KiB
Bash
Executable file
#!/bin/sh
|
|
#
|
|
# $FreeBSD$
|
|
#
|
|
|
|
# PROVIDE: ipfilter
|
|
# REQUIRE: FILESYSTEMS
|
|
# BEFORE: netif
|
|
# KEYWORD: nojail
|
|
|
|
. /etc/rc.subr
|
|
|
|
name="ipfilter"
|
|
rcvar=`set_rcvar`
|
|
load_rc_config $name
|
|
stop_precmd="test -f ${ipfilter_rules} -o -f ${ipv6_ipfilter_rules}"
|
|
|
|
start_precmd="$stop_precmd"
|
|
start_cmd="ipfilter_start"
|
|
stop_cmd="ipfilter_stop"
|
|
reload_precmd="$stop_precmd"
|
|
reload_cmd="ipfilter_reload"
|
|
resync_precmd="$stop_precmd"
|
|
resync_cmd="ipfilter_resync"
|
|
status_precmd="$stop_precmd"
|
|
status_cmd="ipfilter_status"
|
|
extra_commands="reload resync status"
|
|
required_modules="ipl:ipfilter"
|
|
|
|
ipfilter_start()
|
|
{
|
|
echo "Enabling ipfilter."
|
|
if [ `sysctl -n net.inet.ipf.fr_running` -le 0 ]; then
|
|
${ipfilter_program:-/sbin/ipf} -E
|
|
fi
|
|
${ipfilter_program:-/sbin/ipf} -Fa
|
|
if [ -r "${ipfilter_rules}" ]; then
|
|
${ipfilter_program:-/sbin/ipf} \
|
|
-f "${ipfilter_rules}" ${ipfilter_flags}
|
|
fi
|
|
${ipfilter_program:-/sbin/ipf} -6 -Fa
|
|
if [ -r "${ipv6_ipfilter_rules}" ]; then
|
|
${ipfilter_program:-/sbin/ipf} -6 \
|
|
-f "${ipv6_ipfilter_rules}" ${ipfilter_flags}
|
|
fi
|
|
}
|
|
|
|
ipfilter_stop()
|
|
{
|
|
# XXX - The ipf -D command is not effective for 'lkm's
|
|
if [ `sysctl -n net.inet.ipf.fr_running` -eq 1 ]; then
|
|
echo "Saving firewall state tables"
|
|
${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags}
|
|
echo "Disabling ipfilter."
|
|
${ipfilter_program:-/sbin/ipf} -D
|
|
fi
|
|
}
|
|
|
|
ipfilter_reload()
|
|
{
|
|
echo "Reloading ipfilter rules."
|
|
|
|
${ipfilter_program:-/sbin/ipf} -I -Fa
|
|
if [ -r "${ipfilter_rules}" ]; then
|
|
${ipfilter_program:-/sbin/ipf} -I \
|
|
-f "${ipfilter_rules}" ${ipfilter_flags}
|
|
if [ $? -ne 0 ]; then
|
|
err 1 'Load of rules into alternate set failed; aborting reload'
|
|
fi
|
|
fi
|
|
${ipfilter_program:-/sbin/ipf} -I -6 -Fa
|
|
if [ -r "${ipv6_ipfilter_rules}" ]; then
|
|
${ipfilter_program:-/sbin/ipf} -I -6 \
|
|
-f "${ipv6_ipfilter_rules}" ${ipfilter_flags}
|
|
if [ $? -ne 0 ]; then
|
|
err 1 'Load of IPv6 rules into alternate set failed; aborting reload'
|
|
fi
|
|
fi
|
|
${ipfilter_program:-/sbin/ipf} -s
|
|
|
|
}
|
|
|
|
ipfilter_resync()
|
|
{
|
|
${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags}
|
|
}
|
|
|
|
ipfilter_status()
|
|
{
|
|
${ipfilter_program:-/sbin/ipf} -V
|
|
}
|
|
|
|
run_rc_command "$1"
|