diff options
| author | Bjoern A. Zeeb <bz@FreeBSD.org> | 2018-10-17 16:49:11 +0000 |
|---|---|---|
| committer | Bjoern A. Zeeb <bz@FreeBSD.org> | 2018-10-17 16:49:11 +0000 |
| commit | 0696600c41600d80bcd993bfd8e675d0ae6951fe (patch) | |
| tree | 45a1b1b869fe29f26dc2cb4978b509ba9a74e706 /libexec/rc/rc.d/ipfilter | |
| parent | 6f65800cbbb453c18a098f0e14bff8dc5818aa93 (diff) | |
| download | src-0696600c41600d80bcd993bfd8e675d0ae6951fe.tar.gz src-0696600c41600d80bcd993bfd8e675d0ae6951fe.zip | |
Move the rc framework out of sbin/init into libexec/rc.
The reasons for this are forward looking to pkgbase:
* /sbin/init is a special binary; try not to replace it with
every package update because an rc script was touched.
(a follow-up commit will make init its own package)
* having rc in its own place will allow more easy replacement
of the rc framework with alternatives, such as openrc.
Discussed with: brd (during BSDCam), kmoore
Requested by: cem, bz
PR: 231522
Approved by: re (gjb)
Notes
Notes:
svn path=/head/; revision=339413
Diffstat (limited to 'libexec/rc/rc.d/ipfilter')
| -rwxr-xr-x | libexec/rc/rc.d/ipfilter | 90 |
1 files changed, 90 insertions, 0 deletions
diff --git a/libexec/rc/rc.d/ipfilter b/libexec/rc/rc.d/ipfilter new file mode 100755 index 000000000000..5c1a86876d6c --- /dev/null +++ b/libexec/rc/rc.d/ipfilter @@ -0,0 +1,90 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# PROVIDE: ipfilter +# REQUIRE: FILESYSTEMS +# KEYWORD: nojail + +. /etc/rc.subr + +name="ipfilter" +desc="IP packet filter" +rcvar="ipfilter_enable" +load_rc_config $name +stop_precmd="test -f ${ipfilter_rules} -o -f ${ipv6_ipfilter_rules}" + +start_precmd="$stop_precmd" +start_cmd="ipfilter_start" +stop_cmd="ipfilter_stop" +reload_precmd="$stop_precmd" +reload_cmd="ipfilter_reload" +resync_precmd="$stop_precmd" +resync_cmd="ipfilter_resync" +status_precmd="$stop_precmd" +status_cmd="ipfilter_status" +extra_commands="reload resync" +required_modules="ipl:ipfilter" + +ipfilter_start() +{ + echo "Enabling ipfilter." + if ! ${ipfilter_program:-/sbin/ipf} -V | grep -q 'Running: yes'; then + ${ipfilter_program:-/sbin/ipf} -E + fi + ${ipfilter_program:-/sbin/ipf} -Fa + if [ -r "${ipfilter_rules}" ]; then + ${ipfilter_program:-/sbin/ipf} \ + -f "${ipfilter_rules}" ${ipfilter_flags} + fi + if [ -r "${ipv6_ipfilter_rules}" ]; then + ${ipfilter_program:-/sbin/ipf} -6 \ + -f "${ipv6_ipfilter_rules}" ${ipfilter_flags} + fi +} + +ipfilter_stop() +{ + if ${ipfilter_program:-/sbin/ipf} -V | grep -q 'Running: yes'; then + echo "Saving firewall state tables" + ${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags} + echo "Disabling ipfilter." + ${ipfilter_program:-/sbin/ipf} -D + fi +} + +ipfilter_reload() +{ + echo "Reloading ipfilter rules." + + ${ipfilter_program:-/sbin/ipf} -I -Fa + if [ -r "${ipfilter_rules}" ]; then + ${ipfilter_program:-/sbin/ipf} -I \ + -f "${ipfilter_rules}" ${ipfilter_flags} + if [ $? -ne 0 ]; then + err 1 'Load of rules into alternate set failed; aborting reload' + fi + fi + if [ -r "${ipv6_ipfilter_rules}" ]; then + ${ipfilter_program:-/sbin/ipf} -I -6 \ + -f "${ipv6_ipfilter_rules}" ${ipfilter_flags} + if [ $? -ne 0 ]; then + err 1 'Load of IPv6 rules into alternate set failed; aborting reload' + fi + fi + ${ipfilter_program:-/sbin/ipf} -s + +} + +ipfilter_resync() +{ + ${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} +} + +ipfilter_status() +{ + ${ipfilter_program:-/sbin/ipf} -V +} + +run_rc_command "$1" |