From 7b988fe73c5dfb6c7f9e9d10d25792459fb0d2f0 Mon Sep 17 00:00:00 2001 From: Hajimu UMEMOTO Date: Sat, 2 Nov 2002 08:21:26 +0000 Subject: Add IPv6 setup for ipfilter. `ipv6_ipfilter_rules' was added to specify rules definition file for ipfilter. The default is /etc/ipf6.rules. If there is a file which is specified by 'ipv6_ipfilter_rules', IPv6 rule is installed. Reviewed by: Ronald van der Pol MFC after: 1 week --- etc/defaults/rc.conf | 3 +++ etc/rc.d/ipfilter | 27 +++++++++++++++++++++------ etc/rc.network | 16 +++++++++++++--- 3 files changed, 37 insertions(+), 9 deletions(-) (limited to 'etc') diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index 0bd12453e8a0..87ae29792053 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -311,6 +311,9 @@ ipv6_firewall_type="UNKNOWN" # IPv6 Firewall type (see /etc/rc.firewall6) ipv6_firewall_quiet="NO" # Set to YES to suppress rule display ipv6_firewall_logging="NO" # Set to YES to enable events logging ipv6_firewall_flags="" # Flags passed to ip6fw when type is a file +ipv6_ipfilter_rules="/etc/ipf6.rules" # rules definition file for ipfilter, + # see /usr/src/contrib/ipfilter/rules + # for examples ############################################################## ### System console options ################################# diff --git a/etc/rc.d/ipfilter b/etc/rc.d/ipfilter index 2ee2d286e035..423717e62c1f 100755 --- a/etc/rc.d/ipfilter +++ b/etc/rc.d/ipfilter @@ -16,7 +16,7 @@ load_rc_config $name case ${OSTYPE} in FreeBSD) - stop_precmd="test -f ${ipfilter_rules}" + stop_precmd="test -f ${ipfilter_rules} -o -f ${ipv6_ipfilter_rules}" ;; NetBSD) stop_precmd="test -f /etc/ipf.conf -o -f /etc/ipf6.conf" @@ -49,7 +49,8 @@ FreeBSD) fi # check for ipfilter rules - if [ ! -r "${ipfilter_rules}" ]; then + if [ ! -r "${ipfilter_rules}" ] && [ ! -r "${ipv6_ipfilter_rules}" ] + then warn 'IP-filter: NO IPF RULES' return 1 fi @@ -78,8 +79,15 @@ ipfilter_start() echo "Enabling ipfilter." case ${OSTYPE} in FreeBSD) - ${ipfilter_program:-/sbin/ipf} -Fa -f \ - "${ipfilter_rules}" ${ipfilter_flags} + ${ipfilter_program:-/sbin/ipf} -Fa + if [ -r "${ipfilter_rules}" ]; then + ${ipfilter_program:-/sbin/ipf} \ + -f "${ipfilter_rules}" ${ipfilter_flags} + fi + if [ -r "${ipv6_ipfilter_rules}" ]; then + ${ipfilter_program:-/sbin/ipf} -6 \ + -f "${ipv6_ipfilter_rules}" ${ipfilter_flags} + fi ;; NetBSD) /sbin/ipf -E -Fa @@ -114,8 +122,15 @@ ipfilter_reload() case ${OSTYPE} in FreeBSD) - ${ipfilter_program:-/sbin/ipf} -I -Fa -f \ - "${ipfilter_rules}" ${ipfilter_flags} + ${ipfilter_program:-/sbin/ipf} -I -Fa + if [ -r "${ipfilter_rules}" ]; then + ${ipfilter_program:-/sbin/ipf} -I \ + -f "${ipfilter_rules}" ${ipfilter_flags} + fi + if [ -r "${ipv6_ipfilter_rules}" ]; then + ${ipfilter_program:-/sbin/ipf} -I -6 \ + -f "${ipv6_ipfilter_rules}" ${ipfilter_flags} + fi ;; NetBSD) /sbin/ipf -I -Fa diff --git a/etc/rc.network b/etc/rc.network index 43d9a0028d14..925876bbacca 100644 --- a/etc/rc.network +++ b/etc/rc.network @@ -101,10 +101,20 @@ network_pass1() { esac case "${ipfilter_enable}" in [Yy][Ee][Ss]) - if [ -r "${ipfilter_rules}" ]; then + if [ -r "${ipfilter_rules}" -o \ + -r "${ipv6_ipfilter_rules}" ]; then echo -n ' ipfilter' - ${ipfilter_program:-/sbin/ipf} -Fa -f \ - "${ipfilter_rules}" ${ipfilter_flags} + ${ipfilter_program:-/sbin/ipf} -Fa + if [ -r "${ipfilter_rules}" ]; then + ${ipfilter_program:-/sbin/ipf} \ + -f "${ipfilter_rules}" \ + ${ipfilter_flags} + fi + if [ -r "${ipv6_ipfilter_rules}" ]; then + ${ipfilter_program:-/sbin/ipf} -6 \ + -f "${ipv6_ipfilter_rules}" \ + ${ipfilter_flags} + fi else ipfilter_enable="NO" echo -n ' NO IPF RULES' -- cgit v1.2.3