head	1.29;
access;
symbols
	RELENG_8_4:1.28.0.2
	RELENG_9_1_0_RELEASE:1.25.2.1.4.2
	RELENG_9_1:1.25.2.1.0.4
	RELENG_9_1_BP:1.25.2.1
	RELENG_8_3_0_RELEASE:1.21.2.4.6.1
	RELENG_8_3:1.21.2.4.0.6
	RELENG_8_3_BP:1.21.2.4
	RELENG_9_0_0_RELEASE:1.25.2.1.2.1
	RELENG_9_0:1.25.2.1.0.2
	RELENG_9_0_BP:1.25.2.1
	RELENG_9:1.25.0.2
	RELENG_9_BP:1.25
	RELENG_7_4_0_RELEASE:1.15.2.6.2.1
	RELENG_8_2_0_RELEASE:1.21.2.4.4.1
	RELENG_7_4:1.15.2.6.0.2
	RELENG_7_4_BP:1.15.2.6
	RELENG_8_2:1.21.2.4.0.4
	RELENG_8_2_BP:1.21.2.4
	RELENG_8_1_0_RELEASE:1.21.2.4.2.1
	RELENG_8_1:1.21.2.4.0.2
	RELENG_8_1_BP:1.21.2.4
	RELENG_7_3_0_RELEASE:1.15.2.2.4.1
	RELENG_7_3:1.15.2.2.0.4
	RELENG_7_3_BP:1.15.2.2
	RELENG_8_0_0_RELEASE:1.21.2.1.2.1
	RELENG_8_0:1.21.2.1.0.2
	RELENG_8_0_BP:1.21.2.1
	RELENG_8:1.21.0.2
	RELENG_8_BP:1.21
	RELENG_7_2_0_RELEASE:1.15.2.2.2.1
	RELENG_7_2:1.15.2.2.0.2
	RELENG_7_2_BP:1.15.2.2
	RELENG_7_1_0_RELEASE:1.15.2.1.2.1
	RELENG_6_4_0_RELEASE:1.10.2.5.2.1
	RELENG_7_1:1.15.2.1.0.2
	RELENG_7_1_BP:1.15.2.1
	RELENG_6_4:1.10.2.5.0.2
	RELENG_6_4_BP:1.10.2.5
	RELENG_7_0_0_RELEASE:1.15
	RELENG_6_3_0_RELEASE:1.10.2.4
	RELENG_7_0:1.15.0.4
	RELENG_7_0_BP:1.15
	RELENG_6_3:1.10.2.4.0.2
	RELENG_6_3_BP:1.10.2.4
	RELENG_7:1.15.0.2
	RELENG_7_BP:1.15
	RELENG_6_2_0_RELEASE:1.10.2.2
	RELENG_6_2:1.10.2.2.0.4
	RELENG_6_2_BP:1.10.2.2
	RELENG_5_5_0_RELEASE:1.8.2.1
	RELENG_5_5:1.8.2.1.0.6
	RELENG_5_5_BP:1.8.2.1
	RELENG_6_1_0_RELEASE:1.10.2.2
	RELENG_6_1:1.10.2.2.0.2
	RELENG_6_1_BP:1.10.2.2
	RELENG_6_0_0_RELEASE:1.10
	RELENG_6_0:1.10.0.4
	RELENG_6_0_BP:1.10
	RELENG_6:1.10.0.2
	RELENG_6_BP:1.10
	RELENG_5_4_0_RELEASE:1.8.2.1
	RELENG_5_4:1.8.2.1.0.4
	RELENG_5_4_BP:1.8.2.1
	RELENG_5_3_0_RELEASE:1.8.2.1
	RELENG_5_3:1.8.2.1.0.2
	RELENG_5_3_BP:1.8.2.1
	RELENG_5:1.8.0.2
	RELENG_5_BP:1.8
	RELENG_5_2_1_RELEASE:1.5
	RELENG_5_2_0_RELEASE:1.5
	RELENG_5_2:1.5.0.2
	RELENG_5_2_BP:1.5
	RELENG_5_1_0_RELEASE:1.4
	RELENG_5_1:1.4.0.2
	RELENG_5_1_BP:1.4
	RELENG_5_0_0_RELEASE:1.2.2.2
	RELENG_5_0:1.2.0.2
	RELENG_5_0_BP:1.2;
locks; strict;
comment	@# @;


1.29
date	2013.05.20.00.28.17;	author svnexp;	state Exp;
branches;
next	1.28;

1.28
date	2012.11.17.01.49.04;	author svnexp;	state Exp;
branches
	1.28.2.1;
next	1.27;

1.27
date	2012.10.29.06.31.51;	author hrs;	state Exp;
branches;
next	1.26;

1.26
date	2012.07.09.07.16.19;	author hrs;	state Exp;
branches;
next	1.25;

1.25
date	2011.03.30.01.19.00;	author emaste;	state Exp;
branches
	1.25.2.1;
next	1.24;

1.24
date	2010.05.14.04.53.57;	author dougb;	state Exp;
branches;
next	1.23;

1.23
date	2010.02.08.18.51.24;	author emax;	state Exp;
branches;
next	1.22;

1.22
date	2009.12.02.15.05.26;	author ume;	state Exp;
branches;
next	1.21;

1.21
date	2009.06.26.01.04.50;	author dougb;	state Exp;
branches
	1.21.2.1;
next	1.20;

1.20
date	2009.06.01.05.35.03;	author dougb;	state Exp;
branches;
next	1.19;

1.19
date	2009.03.30.21.31.52;	author emax;	state Exp;
branches;
next	1.18;

1.18
date	2008.07.05.15.27.39;	author mtm;	state Exp;
branches;
next	1.17;

1.17
date	2008.01.27.15.15.12;	author mtm;	state Exp;
branches;
next	1.16;

1.16
date	2008.01.26.14.02.19;	author mtm;	state Exp;
branches;
next	1.15;

1.15
date	2007.04.02.15.38.53;	author mtm;	state Exp;
branches
	1.15.2.1;
next	1.14;

1.14
date	2006.12.31.10.37.18;	author yar;	state Exp;
branches;
next	1.13;

1.13
date	2006.07.25.17.28.18;	author yar;	state Exp;
branches;
next	1.12;

1.12
date	2006.02.26.16.45.29;	author wkoszek;	state Exp;
branches;
next	1.11;

1.11
date	2005.10.28.16.07.52;	author yar;	state Exp;
branches;
next	1.10;

1.10
date	2005.03.16.08.47.48;	author ru;	state Exp;
branches
	1.10.2.1;
next	1.9;

1.9
date	2004.10.07.13.55.26;	author mtm;	state Exp;
branches;
next	1.8;

1.8
date	2004.04.28.13.20.15;	author phk;	state Exp;
branches
	1.8.2.1;
next	1.7;

1.7
date	2004.04.05.16.29.45;	author fjoe;	state Exp;
branches;
next	1.6;

1.6
date	2004.03.08.12.25.05;	author pjd;	state Exp;
branches;
next	1.5;

1.5
date	2003.07.27.20.34.30;	author mbr;	state Exp;
branches;
next	1.4;

1.4
date	2003.03.30.15.52.18;	author mtm;	state Exp;
branches;
next	1.3;

1.3
date	2003.01.14.15.43.02;	author mtm;	state Exp;
branches;
next	1.2;

1.2
date	2002.10.12.10.31.31;	author schweikh;	state Exp;
branches
	1.2.2.1;
next	1.1;

1.1
date	2002.06.13.22.14.36;	author gordon;	state Exp;
branches;
next	;

1.28.2.1
date	2012.11.17.01.49.04;	author svnexp;	state dead;
branches;
next	1.28.2.2;

1.28.2.2
date	2013.03.28.13.02.43;	author svnexp;	state Exp;
branches;
next	;

1.25.2.1
date	2011.09.23.00.51.37;	author kensmith;	state Exp;
branches
	1.25.2.1.2.1
	1.25.2.1.4.1;
next	1.25.2.2;

1.25.2.2
date	2012.11.17.11.36.11;	author svnexp;	state Exp;
branches;
next	1.25.2.3;

1.25.2.3
date	2013.05.22.19.01.43;	author svnexp;	state Exp;
branches;
next	1.25.2.4;

1.25.2.4
date	2013.07.12.02.03.30;	author svnexp;	state Exp;
branches;
next	;

1.25.2.1.2.1
date	2011.11.11.04.20.22;	author kensmith;	state Exp;
branches;
next	1.25.2.1.2.2;

1.25.2.1.2.2
date	2012.11.17.08.36.11;	author svnexp;	state Exp;
branches;
next	;

1.25.2.1.4.1
date	2012.08.05.23.54.33;	author kensmith;	state Exp;
branches;
next	1.25.2.1.4.2;

1.25.2.1.4.2
date	2012.11.17.08.47.01;	author svnexp;	state Exp;
branches;
next	;

1.21.2.1
date	2009.08.03.08.13.06;	author kensmith;	state Exp;
branches
	1.21.2.1.2.1;
next	1.21.2.2;

1.21.2.2
date	2010.02.16.19.00.47;	author emax;	state Exp;
branches;
next	1.21.2.3;

1.21.2.3
date	2010.04.07.19.04.36;	author ume;	state Exp;
branches;
next	1.21.2.4;

1.21.2.4
date	2010.05.14.19.28.16;	author dougb;	state Exp;
branches
	1.21.2.4.2.1
	1.21.2.4.4.1
	1.21.2.4.6.1;
next	1.21.2.5;

1.21.2.5
date	2012.11.17.10.35.56;	author svnexp;	state Exp;
branches;
next	;

1.21.2.1.2.1
date	2009.10.25.01.10.29;	author kensmith;	state Exp;
branches;
next	;

1.21.2.4.2.1
date	2010.06.14.02.09.06;	author kensmith;	state Exp;
branches;
next	;

1.21.2.4.4.1
date	2010.12.21.17.09.25;	author kensmith;	state Exp;
branches;
next	;

1.21.2.4.6.1
date	2012.03.03.06.15.13;	author kensmith;	state Exp;
branches;
next	1.21.2.4.6.2;

1.21.2.4.6.2
date	2012.11.17.08.24.38;	author svnexp;	state Exp;
branches;
next	;

1.15.2.1
date	2008.05.06.10.50.51;	author mtm;	state Exp;
branches
	1.15.2.1.2.1;
next	1.15.2.2;

1.15.2.2
date	2009.04.07.16.29.50;	author emax;	state Exp;
branches
	1.15.2.2.2.1
	1.15.2.2.4.1;
next	1.15.2.3;

1.15.2.3
date	2010.02.25.18.02.52;	author emax;	state Exp;
branches;
next	1.15.2.4;

1.15.2.4
date	2010.03.01.18.58.18;	author emax;	state Exp;
branches;
next	1.15.2.5;

1.15.2.5
date	2010.05.14.19.36.11;	author dougb;	state Exp;
branches;
next	1.15.2.6;

1.15.2.6
date	2010.08.17.21.28.40;	author jhb;	state Exp;
branches
	1.15.2.6.2.1;
next	1.15.2.7;

1.15.2.7
date	2012.11.17.08.01.21;	author svnexp;	state Exp;
branches;
next	;

1.15.2.1.2.1
date	2008.11.25.02.59.29;	author kensmith;	state Exp;
branches;
next	;

1.15.2.2.2.1
date	2009.04.15.03.14.26;	author kensmith;	state Exp;
branches;
next	;

1.15.2.2.4.1
date	2010.02.10.00.26.20;	author kensmith;	state Exp;
branches;
next	;

1.15.2.6.2.1
date	2010.12.21.17.10.29;	author kensmith;	state Exp;
branches;
next	1.15.2.6.2.2;

1.15.2.6.2.2
date	2012.11.17.08.16.37;	author svnexp;	state Exp;
branches;
next	;

1.10.2.1
date	2006.01.21.22.42.43;	author yar;	state Exp;
branches;
next	1.10.2.2;

1.10.2.2
date	2006.03.01.11.36.01;	author wkoszek;	state Exp;
branches;
next	1.10.2.3;

1.10.2.3
date	2006.12.20.12.24.32;	author yar;	state Exp;
branches;
next	1.10.2.4;

1.10.2.4
date	2007.05.15.09.18.25;	author mtm;	state Exp;
branches;
next	1.10.2.5;

1.10.2.5
date	2008.05.06.10.48.25;	author mtm;	state Exp;
branches
	1.10.2.5.2.1;
next	1.10.2.6;

1.10.2.6
date	2012.11.17.07.39.07;	author svnexp;	state Exp;
branches;
next	;

1.10.2.5.2.1
date	2008.10.02.02.57.24;	author kensmith;	state Exp;
branches;
next	;

1.8.2.1
date	2004.10.10.09.50.53;	author mtm;	state Exp;
branches;
next	;

1.2.2.1
date	2003.01.14.15.32.49;	author mtm;	state Exp;
branches;
next	1.2.2.2;

1.2.2.2
date	2003.01.14.15.37.49;	author mtm;	state Exp;
branches;
next	;


desc
@@


1.29
log
@## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/250804
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
@
text
@#!/bin/sh
#
# $FreeBSD: head/etc/rc.d/ipfw 250804 2013-05-19 04:10:34Z jamie $
#

# PROVIDE: ipfw
# REQUIRE: ppp
# KEYWORD: nojailvnet

. /etc/rc.subr
. /etc/network.subr

name="ipfw"
rcvar="firewall_enable"
start_cmd="ipfw_start"
start_precmd="ipfw_prestart"
start_postcmd="ipfw_poststart"
stop_cmd="ipfw_stop"
required_modules="ipfw"

set_rcvar_obsolete ipv6_firewall_enable

ipfw_prestart()
{
	if checkyesno dummynet_enable; then
		required_modules="$required_modules dummynet"
	fi
	if checkyesno natd_enable; then
		required_modules="$required_modules ipdivert"
	fi
	if checkyesno firewall_nat_enable; then
		required_modules="$required_modules ipfw_nat"
	fi
}

ipfw_start()
{
	local   _firewall_type

	_firewall_type=$1

	# set the firewall rules script if none was specified
	[ -z "${firewall_script}" ] && firewall_script=/etc/rc.firewall

	if [ -r "${firewall_script}" ]; then
		/bin/sh "${firewall_script}" "${_firewall_type}"
		echo 'Firewall rules loaded.'
	elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then
		echo 'Warning: kernel has firewall functionality, but' \
		    ' firewall rules are not enabled.'
		echo '           All ip services are disabled.'
	fi

	# Firewall logging
	#
	if checkyesno firewall_logging; then
		echo 'Firewall logging enabled.'
		sysctl net.inet.ip.fw.verbose=1 >/dev/null
	fi
	if checkyesno firewall_logif; then
		ifconfig ipfw0 create
		echo 'Firewall logging pseudo-interface (ipfw0) created.'
	fi
}

ipfw_poststart()
{
	local	_coscript

	# Start firewall coscripts
	#
	for _coscript in ${firewall_coscripts} ; do
		if [ -f "${_coscript}" ]; then
			${_coscript} quietstart
		fi
	done

	# Enable the firewall
	#
	if ! ${SYSCTL} net.inet.ip.fw.enable=1 1>/dev/null 2>&1; then
		warn "failed to enable IPv4 firewall"
	fi
	if afexists inet6; then
		if ! ${SYSCTL} net.inet6.ip6.fw.enable=1 1>/dev/null 2>&1
		then
			warn "failed to enable IPv6 firewall"
		fi
	fi
}

ipfw_stop()
{
	local	_coscript

	# Disable the firewall
	#
	${SYSCTL} net.inet.ip.fw.enable=0
	if afexists inet6; then
		${SYSCTL} net.inet6.ip6.fw.enable=0
	fi

	# Stop firewall coscripts
	#
	for _coscript in `reverse_list ${firewall_coscripts}` ; do
		if [ -f "${_coscript}" ]; then
			${_coscript} quietstop
		fi
	done
}

load_rc_config $name
firewall_coscripts="/etc/rc.d/natd ${firewall_coscripts}"

run_rc_command $*
@


1.28
log
@Switching exporter and resync
@
text
@d3 1
a3 1
# $FreeBSD: head/etc/rc.d/ipfw 242301 2012-10-29 06:31:51Z hrs $
d8 1
a8 1
# KEYWORD: nojail
@


1.28.2.1
log
@file ipfw was added on branch RELENG_8_4 on 2013-03-28 13:02:43 +0000
@
text
@d1 114
@


1.28.2.2
log
@## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/248810
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
@
text
@a0 110
#!/bin/sh
#
# $FreeBSD: releng/8.4/etc/rc.d/ipfw 208094 2010-05-14 19:28:16Z dougb $
#

# PROVIDE: ipfw
# REQUIRE: ppp
# KEYWORD: nojail

. /etc/rc.subr
. /etc/network.subr

name="ipfw"
rcvar="firewall_enable"
start_cmd="ipfw_start"
start_precmd="ipfw_prestart"
start_postcmd="ipfw_poststart"
stop_cmd="ipfw_stop"
required_modules="ipfw"

set_rcvar_obsolete ipv6_firewall_enable

ipfw_prestart()
{
	if checkyesno dummynet_enable; then
		required_modules="$required_modules dummynet"
	fi

	if checkyesno firewall_nat_enable; then
		if ! checkyesno natd_enable; then
			required_modules="$required_modules ipfw_nat"
		fi
	fi
}

ipfw_start()
{
	local   _firewall_type

	_firewall_type=$1

	# set the firewall rules script if none was specified
	[ -z "${firewall_script}" ] && firewall_script=/etc/rc.firewall

	if [ -r "${firewall_script}" ]; then
		/bin/sh "${firewall_script}" "${_firewall_type}"
		echo 'Firewall rules loaded.'
	elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then
		echo 'Warning: kernel has firewall functionality, but' \
		    ' firewall rules are not enabled.'
		echo '           All ip services are disabled.'
	fi

	# Firewall logging
	#
	if checkyesno firewall_logging; then
		echo 'Firewall logging enabled.'
		sysctl net.inet.ip.fw.verbose=1 >/dev/null
	fi
}

ipfw_poststart()
{
	local	_coscript

	# Start firewall coscripts
	#
	for _coscript in ${firewall_coscripts} ; do
		if [ -f "${_coscript}" ]; then
			${_coscript} quietstart
		fi
	done

	# Enable the firewall
	#
	if ! ${SYSCTL_W} net.inet.ip.fw.enable=1 1>/dev/null 2>&1; then
		warn "failed to enable IPv4 firewall"
	fi
	if afexists inet6; then
		if ! ${SYSCTL_W} net.inet6.ip6.fw.enable=1 1>/dev/null 2>&1
		then
			warn "failed to enable IPv6 firewall"
		fi
	fi
}

ipfw_stop()
{
	local	_coscript

	# Disable the firewall
	#
	${SYSCTL_W} net.inet.ip.fw.enable=0
	if afexists inet6; then
		${SYSCTL_W} net.inet6.ip6.fw.enable=0
	fi

	# Stop firewall coscripts
	#
	for _coscript in `reverse_list ${firewall_coscripts}` ; do
		if [ -f "${_coscript}" ]; then
			${_coscript} quietstop
		fi
	done
}

load_rc_config $name
firewall_coscripts="/etc/rc.d/natd ${firewall_coscripts}"

run_rc_command $*
@


1.27
log
@SVN rev 242301 on 2012-10-29 06:31:51Z by hrs

Load ipdivert.ko when natd_enable=YES.

PR:	conf/167566
@
text
@d3 1
a3 1
# $FreeBSD$
@


1.26
log
@SVN rev 238277 on 2012-07-09 07:16:19Z by hrs

Make ipfw0 logging pseudo-interface clonable.  It can be created automatically
by $firewall_logif rc.conf(5) variable at boot time or manually by ifconfig(8)
after a boot.

Discussed on:	freebsd-ipfw@@
@
text
@d28 3
a30 1

d32 1
a32 3
		if ! checkyesno natd_enable; then
			required_modules="$required_modules ipfw_nat"
		fi
@


1.25
log
@SVN rev 220153 on 2011-03-30 01:19:00Z by emaste

Replace ${SYSCTL_W} with ${SYSCTL} in rc.d scripts, as they are identical.
This is a further clean up after r202988.

SYSCTL_W is still initialized in rc.subr as some ports may still use it.
@
text
@d60 4
@


1.25.2.1
log
@SVN rev 225736 on 2011-09-23 00:51:37Z by kensmith

Copy head to stable/9 as part of 9.0-RELEASE release cycle.

Approved by:	re (implicit)
@
text
@@


1.25.2.2
log
@## SVN ##
## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/ 242902
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
## SVN ##
## SVN ## ------------------------------------------------------------------------
## SVN ## r242902 | dteske | 2012-11-11 23:29:45 +0000 (Sun, 11 Nov 2012) | 10 lines
## SVN ##
## SVN ## Fix a regression introduced by SVN r211417 that saw the breakage of a feature
## SVN ## documented in usr.sbin/sysinstall/help/shortcuts.hlp (reproduced below):
## SVN ##
## SVN ## If /usr/sbin/sysinstall is linked to another filename, say
## SVN ## `/usr/local/bin/configPackages', then the basename will be used
## SVN ## as an implicit command name.
## SVN ##
## SVN ## Reviewed by:	adrian (co-mentor)
## SVN ## Approved by:	adrian (co-mentor)
## SVN ##
## SVN ## ------------------------------------------------------------------------
## SVN ##
@
text
@d3 1
a3 1
# $FreeBSD: stable/9/etc/rc.d/ipfw 220153 2011-03-30 01:19:00Z emaste $
@


1.25.2.3
log
@## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/250915
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
@
text
@d3 1
a3 1
# $FreeBSD: stable/9/etc/rc.d/ipfw 250915 2013-05-22 18:26:12Z jamie $
d8 1
a8 1
# KEYWORD: nojailvnet
@


1.25.2.4
log
@## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/253232
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
@
text
@d3 1
a3 1
# $FreeBSD: stable/9/etc/rc.d/ipfw 253232 2013-07-12 01:12:28Z hrs $
d28 1
a28 3
	if checkyesno natd_enable; then
		required_modules="$required_modules ipdivert"
	fi
d30 3
a32 1
		required_modules="$required_modules ipfw_nat"
@


1.25.2.1.4.1
log
@SVN rev 239080 on 2012-08-05 23:54:33Z by kensmith

Copy stable/9 to releng/9.1 as part of the 9.1-RELEASE release process.

Approved by:	re (implicit)
@
text
@@


1.25.2.1.4.2
log
@Switch importer
@
text
@d3 1
a3 1
# $FreeBSD: releng/9.1/etc/rc.d/ipfw 220153 2011-03-30 01:19:00Z emaste $
@


1.25.2.1.2.1
log
@SVN rev 227445 on 2011-11-11 04:20:22Z by kensmith

Copy stable/9 to releng/9.0 as part of the FreeBSD 9.0-RELEASE release
cycle.

Approved by:	re (implicit)
@
text
@@


1.25.2.1.2.2
log
@Switch importer
@
text
@d3 1
a3 1
# $FreeBSD: releng/9.0/etc/rc.d/ipfw 220153 2011-03-30 01:19:00Z emaste $
@


1.24
log
@SVN rev 208060 on 2010-05-14 04:53:57Z by dougb

Remove trailing white space. No functional changes.
@
text
@d76 1
a76 1
	if ! ${SYSCTL_W} net.inet.ip.fw.enable=1 1>/dev/null 2>&1; then
d80 1
a80 1
		if ! ${SYSCTL_W} net.inet6.ip6.fw.enable=1 1>/dev/null 2>&1
d93 1
a93 1
	${SYSCTL_W} net.inet.ip.fw.enable=0
d95 1
a95 1
		${SYSCTL_W} net.inet6.ip6.fw.enable=0
@


1.23
log
@SVN rev 203676 on 2010-02-08 18:51:24Z by emax

Introduce new rc.conf variable firewall_coscripts. It can be used to
specify list of executables and/or rc scripts that should be executed
after firewall starts/stops.

Submitted by:	Yuri Kurenkov <y dot kurenkov at init dot ru>
Reviewed by:	rhodes, rc@@
MFC after:	1 week
@
text
@d33 1
a33 1
	fi 
d40 1
a40 1
	_firewall_type=$1 
@


1.22
log
@SVN rev 200028 on 2009-12-02 15:05:26Z by ume

Unify rc.firewall and rc.firewall6, and obsolete rc.firewall6
and rc.d/ip6fw.

Reviewed by:	dougb, jhb
MFC after:	1 month
@
text
@d17 1
a45 3
		if [ -f /etc/rc.d/natd ] ; then
			/etc/rc.d/natd quietstart
		fi
d60 13
d89 2
d97 8
a104 3
	if [ -f /etc/rc.d/natd ] ; then
		/etc/rc.d/natd quietstop
	fi
d108 2
@


1.21
log
@SVN rev 195026 on 2009-06-26 01:04:50Z by dougb

Reverse the effect of r193198 for pf and ipfw which will once again
allow them to start after netif. There were too many problems reported
with this change in the short period of time that it lived in HEAD, and
we are too late in the release cycle to properly shake it out.

IMO the issue of having the firewalls up before the network is still a
valid concern, particularly for pf whose default state is wide open.
However properly solving this issue is going to take some investment
on the part of the people who actually use those tools.

This is not a strict reversion of all the changes for r193198 since it
also included some simplification of the BEFORE/REQUIRE logic which is
still valid for ipfilter and ip6fw.
@
text
@d20 2
d66 7
a72 1
		warn "failed to enable firewall"
d81 3
@


1.21.2.1
log
@SVN rev 196045 on 2009-08-03 08:13:06Z by kensmith

Copy head to stable/8 as part of 8.0 Release cycle.

Approved by:	re (Implicit)
@
text
@@


1.21.2.2
log
@SVN rev 203962 on 2010-02-16 19:00:47Z by emax

MFC: r203676

Introduce new rc.conf variable firewall_coscripts. It can be used to
specify list of executables and/or rc scripts that should be executed
after firewall starts/stops.

Submitted by:	Yuri Kurenkov <y dot kurenkov at init dot ru>
Reviewed by:	rhodes, rc@@
@
text
@a16 1
start_postcmd="ipfw_poststart"
d43 3
a59 13
}

ipfw_poststart()
{
	local	_coscript

	# Start firewall coscripts
	#
	for _coscript in ${firewall_coscripts} ; do
		if [ -f "${_coscript}" ]; then
			${_coscript} quietstart
		fi
	done
a69 2
	local	_coscript

d73 3
a75 8

	# Stop firewall coscripts
	#
	for _coscript in `reverse_list ${firewall_coscripts}` ; do
		if [ -f "${_coscript}" ]; then
			${_coscript} quietstop
		fi
	done
a78 2
firewall_coscripts="/etc/rc.d/natd ${firewall_coscripts}"

@


1.21.2.3
log
@SVN rev 206382 on 2010-04-07 19:04:36Z by ume

MFC r200028, r201193, r201752, r201930, r202460, r200672, r206375:
Unify rc.firewall and rc.firewall6, and obsolete rc.firewall6 and
rc.d/ip6fw.
@
text
@a20 2
set_rcvar_obsolete ipv6_firewall_enable

d75 1
a75 7
		warn "failed to enable IPv4 firewall"
	fi
	if afexists inet6; then
		if ! ${SYSCTL_W} net.inet6.ip6.fw.enable=1 1>/dev/null 2>&1
		then
			warn "failed to enable IPv6 firewall"
		fi
a85 3
	if afexists inet6; then
		${SYSCTL_W} net.inet6.ip6.fw.enable=0
	fi
@


1.21.2.4
log
@SVN rev 208094 on 2010-05-14 19:28:16Z by dougb

MFC 208060:

Remove trailing white space. No functional changes.
@
text
@d33 1
a33 1
	fi
d40 1
a40 1
	_firewall_type=$1
@


1.21.2.5
log
@## SVN ##
## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/ 242909
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
## SVN ##
## SVN ## ------------------------------------------------------------------------
## SVN ## r242909 | dim | 2012-11-12 07:47:19 +0000 (Mon, 12 Nov 2012) | 20 lines
## SVN ##
## SVN ## MFC r242625:
## SVN ##
## SVN ## Remove duplicate const specifiers in many drivers (I hope I got all of
## SVN ## them, please let me know if not).  Most of these are of the form:
## SVN ##
## SVN ## static const struct bzzt_type {
## SVN ##       [...list of members...]
## SVN ## } const bzzt_devs[] = {
## SVN ##       [...list of initializers...]
## SVN ## };
## SVN ##
## SVN ## The second const is unnecessary, as arrays cannot be modified anyway,
## SVN ## and if the elements are const, the whole thing is const automatically
## SVN ## (e.g. it is placed in .rodata).
## SVN ##
## SVN ## I have verified this does not change the binary output of a full kernel
## SVN ## build (except for build timestamps embedded in the object files).
## SVN ##
## SVN ## Reviewed by:	yongari, marius
## SVN ##
## SVN ## ------------------------------------------------------------------------
## SVN ##
@
text
@d3 1
a3 1
# $FreeBSD: stable/8/etc/rc.d/ipfw 208094 2010-05-14 19:28:16Z dougb $
@


1.21.2.4.6.1
log
@SVN rev 232438 on 2012-03-03 06:15:13Z by kensmith

Copy stable/8 to releng/8.3 as part of 8.3-RELEASE release cycle.

Approved by:	re (implicit)
@
text
@@


1.21.2.4.6.2
log
@Switch importer
@
text
@d3 1
a3 1
# $FreeBSD: releng/8.3/etc/rc.d/ipfw 208094 2010-05-14 19:28:16Z dougb $
@


1.21.2.4.4.1
log
@SVN rev 216617 on 2010-12-21 17:09:25Z by kensmith

Copy stable/8 to releng/8.2 in preparation for FreeBSD-8.2 release.

Approved by:	re (implicit)
@
text
@@


1.21.2.4.2.1
log
@SVN rev 209145 on 2010-06-14 02:09:06Z by kensmith

Copy stable/8 to releng/8.1 in preparation for 8.1-RC1.

Approved by:	re (implicit)
@
text
@@


1.21.2.1.2.1
log
@SVN rev 198460 on 2009-10-25 01:10:29Z by kensmith

Copy stable/8 to releng/8.0 as part of 8.0-RELEASE release procedure.

Approved by:	re (implicit)
@
text
@@


1.20
log
@SVN rev 193198 on 2009-06-01 05:35:03Z by dougb

Make the pf and ipfw firewalls start before netif, just like ipfilter
already does. This eliminates a logical inconsistency, and a small
window where the system is open after the network comes up.
@
text
@d7 1
a7 1
# REQUIRE: FILESYSTEMS
@


1.19
log
@SVN rev 190575 on 2009-03-30 21:31:52Z by emax

- Add ipfw_nat to the list of required modules if "firewall_nat_enable"
  is set and "natd_enable" is NOT set;

- Accept and pass firewall type to the external firewall script.

Submitted by:		Yuri Kurenkov < y -dot- kurenkov -at- init -dot- ru >
MFC after:		3 days
No response from:	freebsd-rc
@
text
@d7 1
a7 2
# REQUIRE: ppp
# BEFORE: NETWORKING
@


1.18
log
@SVN rev 180296 on 2008-07-05 15:27:39Z by mtm

No need to display the result of enabling the ipfw sysctl if it's
successfull. Issue a warning if it fails, however.
@
text
@d26 6
d36 4
d47 1
a47 1
		/bin/sh "${firewall_script}"
d80 1
a80 1
run_rc_command "$1"
@


1.17
log
@Add a dummynet_enable knob to go with firewall_enable. If this knob
is enabled dummynet(4) is added to the list of required modules.

Discussed on:	#freebsd-bugbusters (rwatson, trhodes)
PR:		conf/79196
MFC after:	1 week
@
text
@d54 3
a56 1
	${SYSCTL_W} net.inet.ip.fw.enable=1
@


1.16
log
@Generally, anything that runs rc.d scripts internally should
start using the quiet prefix (i.e. quietstart, quietstop, etc...).
@
text
@d17 1
d21 7
@


1.15
log
@Instead of directly sourcing the firewall script, run it in a separate shell.
If the firewall script is sourced directly from the script, then any
exit statements in it will also terminate the rc.d script prematurely.

PR: conf/78762
MFC-After: 2 weeks
@
text
@d27 1
a27 1
			/etc/rc.d/natd start
d55 1
a55 1
		/etc/rc.d/natd stop
@


1.15.2.1
log
@MFC:
	Add a dummynet_enable knob to go with firewall_enable. If this knob
	is enabled dummynet(4) is added to the list of required modules.

	Discussed on: #freebsd-bugbusters (rwatson, trhodes)
	PR: conf/79196
@
text
@a16 1
start_precmd="ipfw_prestart"
a19 7
ipfw_prestart()
{
	if checkyesno dummynet_enable; then
		required_modules="$required_modules dummynet"
	fi
}

@


1.15.2.2
log
@SVN rev 190808 on 2009-04-07 16:29:50Z by emax

MFC r190575

- Add ipfw_nat to the list of required modules if "firewall_nat_enable"
  is set and "natd_enable" is NOT set;

- Accept and pass firewall type to the external firewall script.

Submitted by:		Yuri Kurenkov < y -dot- kurenkov -at- init -dot- ru >
No response from:	freebsd-rc
Approved by:		re (kib)
@
text
@a25 6

	if checkyesno firewall_nat_enable; then
		if ! checkyesno natd_enable; then
			required_modules="$required_modules ipfw_nat"
		fi
	fi 
a29 4
	local   _firewall_type

	_firewall_type=$1 

d37 1
a37 1
		/bin/sh "${firewall_script}" "${_firewall_type}"
d68 1
a68 1
run_rc_command $*
@


1.15.2.3
log
@SVN rev 204325 on 2010-02-25 18:02:52Z by emax

MFC: r203676

Introduce new rc.conf variable firewall_coscripts. It can be used to
specify list of executables and/or rc scripts that should be executed
after firewall starts/stops.

Submitted by:	Yuri Kurenkov <y dot kurenkov at init dot ru>
Reviewed by:	rhodes, rc@@
@
text
@a17 1
start_postcmd="ipfw_poststart"
d44 3
a60 13
}

ipfw_poststart()
{
	local	_coscript

	# Start firewall coscripts
	#
	for _coscript in ${firewall_coscripts} ; do
		if [ -f "${_coscript}" ]; then
			${_coscript} quietstart
		fi
	done
a68 2
	local	_coscript

d72 3
a74 8

	# Stop firewall coscripts
	#
	for _coscript in `reverse_list ${firewall_coscripts}` ; do
		if [ -f "${_coscript}" ]; then
			${_coscript} quietstop
		fi
	done
a77 2
firewall_coscripts="/etc/rc.d/natd ${firewall_coscripts}"

@


1.15.2.4
log
@SVN rev 204526 on 2010-03-01 18:58:18Z by emax

Use start/stop instead of quietstart/quietstop. Pointy hat goes to me.

Pointed out by:	jhb
@
text
@d69 1
a69 1
			${_coscript} start
d90 1
a90 1
			${_coscript} stop
@


1.15.2.5
log
@SVN rev 208095 on 2010-05-14 19:36:11Z by dougb

MFC 208060:

Remove trailing white space. No functional changes.

Hand-delete trailing ws from rc.firewall while I'm here.
@
text
@d32 1
a32 1
	fi
d39 1
a39 1
	_firewall_type=$1
@


1.15.2.6
log
@SVN rev 211438 on 2010-08-17 21:28:40Z by jhb

MFC 175682,175683,175686:
Generally, anything that runs rc.d scripts internally should
start using the quiet prefix (i.e. quietstart, quietstop, etc...).
@
text
@d69 1
a69 1
			${_coscript} quietstart
d90 1
a90 1
			${_coscript} quietstop
@


1.15.2.7
log
@Switch importer
@
text
@d3 1
a3 1
# $FreeBSD: stable/7/etc/rc.d/ipfw 220110 2011-03-28 19:29:30Z dougb $
@


1.15.2.6.2.1
log
@SVN rev 216618 on 2010-12-21 17:10:29Z by kensmith

Copy stable/7 to releng/7.4 in preparation for FreeBSD-7.4 release.

Approved by:	re (implicit)
@
text
@@


1.15.2.6.2.2
log
@Switch importer
@
text
@d3 1
a3 1
# $FreeBSD: releng/7.4/etc/rc.d/ipfw 211438 2010-08-17 21:28:40Z jhb $
@


1.15.2.2.4.1
log
@SVN rev 203736 on 2010-02-10 00:26:20Z by kensmith

Copy stable/7 to releng/7.3 as part of the 7.3-RELEASE process.

Approved by:	re (implicit)
@
text
@@


1.15.2.2.2.1
log
@SVN rev 191087 on 2009-04-15 03:14:26Z by kensmith

Create releng/7.2 from stable/7 in preparation for 7.2-RELEASE.

Approved by:	re (implicit)
@
text
@@


1.15.2.1.2.1
log
@SVN rev 185281 on 2008-11-25 02:59:29Z by kensmith

Create releng/7.1 in preparation for moving into RC phase of 7.1 release
cycle.

Approved by:	re (implicit)
@
text
@@


1.14
log
@Use $required_modules wherever suitable.  Use load_kld() in special
cases.  So we get rid of quite a few lines of duplicated code.
@
text
@d29 1
a29 1
		. "${firewall_script}"
@


1.13
log
@De-uglify messages from the ipfw script.
@
text
@a16 1
start_precmd="ipfw_precmd"
d18 1
a18 12

ipfw_precmd()
{
	if ! ${SYSCTL} net.inet.ip.fw.enable > /dev/null 2>&1; then
		if ! kldload ipfw; then
			warn unable to load firewall module.
			return 1
		fi
	fi

	return 0
}
@


1.12
log
@Use 'ipfw list' instead of 'ipfw l', since it's deprecated (and warning is
printed on system startup).

Approved by:	cognet (mentor)
MFC after:	3 days
@
text
@a37 1
		echo -n 'Starting divert daemons:'
d42 1
a42 1
		echo -n 'Firewall rules loaded'
a47 1
	echo '.'
d52 1
a52 1
		echo 'Firewall logging enabled'
@


1.11
log
@Transforming "ppp-user" into just "ppp", step 1:
The rcorder(8) condition PROVIDE'd by the script
and REQUIRE'd by the others becomes "ppp".

The ultimate goal of the transformation is to reduce
confusion resulting from the fact that $name has been
"ppp" already.

Discussed with: pjd, -rc
@
text
@d44 1
a44 1
	elif [ "`ipfw l 65535`" = "65535 deny ip from any to any" ]; then
@


1.10
log
@Start natd(8) before loading firewall rules, to give the
ipdivert.ko module a chance to load.
@
text
@d7 1
a7 1
# REQUIRE: ppp-user
@


1.10.2.1
log
@MFC:
Rename the rc.d script "ppp-user" to just "ppp".
@
text
@d7 1
a7 1
# REQUIRE: ppp
@


1.10.2.2
log
@MFC:

  Use 'ipfw list' instead of 'ipfw l', since it's deprecated (and warning is
  printed on system startup).

  Approved by:    cognet (mentor)

Approved by:	re (scottl)
@
text
@d44 1
a44 1
	elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then
@


1.10.2.3
log
@MFC rev. 1.13:

	De-uglify messages from the ipfw script.
@
text
@d38 1
d43 1
a43 1
		echo 'Firewall rules loaded.'
d49 1
d54 1
a54 1
		echo 'Firewall logging enabled.'
@


1.10.2.4
log
@MFC: revision 1.9 of rc.d/ip6fw and 1.15 of rc.d/ipfw

date: 2007/04/02 15:38:53;  author: mtm;  state: Exp;  lines: +1 -1
Instead of directly sourcing the firewall script, run it in a separate shell.
If the firewall script is sourced directly from the script, then any
exit statements in it will also terminate the rc.d script prematurely.

PR: conf/78762
@
text
@d41 1
a41 1
		/bin/sh "${firewall_script}"
@


1.10.2.5
log
@MFC:
	Add a dummynet_enable knob to go with firewall_enable. If this knob
	is enabled dummynet(4) is added to the list of required modules.

	Discussed on: #freebsd-bugbusters (rwatson, trhodes)
	PR: conf/79196
@
text
@a28 4
	if checkyesno dummynet_enable; then
		required_modules="$required_modules dummynet"
	fi

@


1.10.2.6
log
@Switch importer
@
text
@d3 1
a3 1
# $FreeBSD: stable/6/etc/rc.d/ipfw 178810 2008-05-06 10:50:51Z mtm $
@


1.10.2.5.2.1
log
@SVN rev 183531 on 2008-10-02 02:57:24Z by kensmith

Create releng/6.4 from stable/6 in preparation for 6.4-RC1.

Approved by:	re (implicit)
@
text
@@


1.9
log
@Remove the requirement for the FreeBSD keyword as it no longer
makes any sense.

Discussed with: dougb, brooks
MFC after: 3 days
@
text
@d38 1
a38 2
		. "${firewall_script}"
		echo -n 'Firewall rules loaded, starting divert daemons:'
d42 2
@


1.8
log
@Protect som cross-script invocations by checks to see that the target
script exists.  This allows pruning of rc.d scripts without getting
too many ugly boottime error message
@
text
@d9 1
a9 1
# KEYWORD: FreeBSD nojail
@


1.8.2.1
log
@RCS file: /home/ncvs/src/etc/rc,v
----------------------------
revision 1.335
date: 2004/10/08 14:23:49;  author: mtm;  state: Exp;  lines: +0 -1
Remove an unused variable.

Submitted by: Pawel Worach <pawel.worach@@telia.com>
----------------------------
revision 1.334
date: 2004/10/07 13:55:25;  author: mtm;  state: Exp;  lines: +1 -1
Remove the requirement for the FreeBSD keyword as it no longer
makes any sense.

Discussed with: dougb, brooks
MFC after: 3 days
=============================================================================
RCS file: /home/ncvs/src/etc/rc.d/nsswitch,v
----------------------------
revision 1.4
date: 2004/09/16 17:03:12;  author: keramida;  state: Exp;  lines: +1 -1
Fix requirement of `network' to `NETWORK' because the former isn't
provided by any rc.d script.

Approved by:	mtm
=============================================================================
RCS file: /home/ncvs/src/etc/rc.d/pflog,v
----------------------------
revision 1.3
date: 2004/09/16 17:04:20;  author: keramida;  state: Exp;  lines: +1 -1
We don't have any providers of `beforenetlkm' in FreeBSD.  Remove the
dependency to it from our rc.d scripts.

Approved by:	mtm
=============================================================================

Approved by: re/scottl
@
text
@d9 1
a9 1
# KEYWORD: nojail
@


1.7
log
@Add separate script for natd. This fixes race condition with "ipfw restart"
(when new natd is started before old natd died) and allows to manage natd
without touching ipfw.

natd should probably be killed with SIGKILL when stopping natd.
@
text
@d40 3
a42 1
		/etc/rc.d/natd start
d67 3
a69 1
	/etc/rc.d/natd stop
@


1.6
log
@Mark scripts as not usable inside a jail by adding keyword 'nojail'.

Some suggestions from:	rwatson, Ruben de Groot <mail25@@bzerk.org>
@
text
@d40 1
a40 25

		# Network Address Translation daemon
		#
		if checkyesno natd_enable; then
			dhcp_list="`list_net_interfaces dhcp`"
			for ifn in ${dhcp_list}; do
				case ${natd_interface} in
				${ifn})
					natd_flags="$natd_flags -dynamic"
					;;
				*)
					;;
				esac
			done
			if [ -n "${natd_interface}" ]; then
				if echo ${natd_interface} | \
				grep -q -E '^[0-9]+(\.[0-9]+){0,3}$'; then
					natd_flags="$natd_flags -a ${natd_interface}"
				else
					natd_flags="$natd_flags -n ${natd_interface}"
				fi
			fi
			echo -n ' natd'
			${natd_program:-/sbin/natd} ${natd_flags} ${natd_ifarg}
		fi
d65 1
a65 2
	killall natd;
	sleep 2;
@


1.5
log
@Add -dynamic to natd if dhcp is used for the natd interface.
Kill natd in stop().

Reviewed by:	mtm
@
text
@d3 1
a3 1
# $FreeBSD: src/etc/rc.d/ipfw,v 1.4 2003/03/30 15:52:18 mtm Exp $
d9 1
a9 1
# KEYWORD: FreeBSD
@


1.4
log
@Make the 'restart' command work. Otherwise, it would successfully
stop ipfw, but not enable it again.

Aesthetic changes
	o Use positve logic (instead of negative)
	o create a 'stop' function, rather than putting the
	  commands in the stop_cmd variable.

Submitted by:	des
Approved by:	markm (mentor) (implicit)
@
text
@d3 1
a3 1
# $FreeBSD$
d12 1
d44 10
d89 2
@


1.3
log
@Finish merging in rev. 1.124 of rc.network, so that natd can be used
withough the $natd_interface having to be explicitly specified on the
command line.

Approved by: markm (mentor)
Submitted by: Aaron D. Gifford <agifford@@infowest.com>
PR: conf/47024

MFC: upon re approval
@
text
@d17 1
a17 1
stop_cmd="${SYSCTL_W} net.inet.ip.fw.enable=0"
d63 9
a71 1
	! checkyesno firewall_logging && return 0
d73 5
a77 2
	echo 'Firewall logging=YES'
	sysctl net.inet.ip.fw.verbose=1 >/dev/null
@


1.2
log
@Fix style bugs:
* Space -> tabs conversion.
* Removed blanks before semicolon in "if ... ; then".
* Proper indentation of misindented lines.
* Put a full stop after some comments.
* Removed whitespace at end of line.

Approved by:	silence from gordon
@
text
@a49 2
				echo -n ' natd'
				${natd_program:-/sbin/natd} ${natd_flags} ${natd_ifarg}
d51 2
@


1.2.2.1
log
@Finish merging in rev. 1.124 of rc.network, so that natd can be used
withough the $natd_interface having to be explicitly specified on the
command line.

Approved by: markm (mentor)
Submitted by: Aaron D. Gifford <agifford@@infowest.com>
PR: conf/47024

MFC: upon re approval
@
text
@d50 2
a52 2
			echo -n ' natd'
			${natd_program:-/sbin/natd} ${natd_flags} ${natd_ifarg}
@


1.2.2.2
log
@Backout previous commit. Wrong branch.
@
text
@a49 2
				echo -n ' natd'
				${natd_program:-/sbin/natd} ${natd_flags} ${natd_ifarg}
d51 2
@


1.1
log
@Merge in all the changes that Mike Makonnen has been maintaining for a
while. This is only the script pieces, the glue for the build comes next.

Submitted by:	Mike Makonnen <makonnen@@pacbell.net>
Reviewed by:	silence on -current and -hackers
Prodded by:	rwatson
@
text
@d21 2
a22 2
	if ! ${SYSCTL} net.inet.ip.fw.enable > /dev/null 2>&1 ; then
		if ! kldload ipfw ; then
d42 1
a42 1
		if checkyesno natd_enable ; then
d45 1
a45 1
			    	grep -q -E '^[0-9]+(\.[0-9]+){0,3}$'; then
@

