head	1.24;
access;
symbols
	RELENG_8_4:1.24.0.2
	RELENG_9_1_0_RELEASE:1.22.2.2.2.2
	RELENG_9_1:1.22.2.2.0.2
	RELENG_9_1_BP:1.22.2.2
	RELENG_8_3_0_RELEASE:1.19.2.3.2.1
	RELENG_8_3:1.19.2.3.0.2
	RELENG_8_3_BP:1.19.2.3
	RELENG_9_0_0_RELEASE:1.22.2.1.2.1
	RELENG_9_0:1.22.2.1.0.2
	RELENG_9_0_BP:1.22.2.1
	RELENG_9:1.22.0.2
	RELENG_9_BP:1.22
	RELENG_7_4_0_RELEASE:1.16.12.1
	RELENG_8_2_0_RELEASE:1.19.2.2.6.1
	RELENG_7_4:1.16.0.12
	RELENG_7_4_BP:1.16
	RELENG_8_2:1.19.2.2.0.6
	RELENG_8_2_BP:1.19.2.2
	RELENG_8_1_0_RELEASE:1.19.2.2.4.1
	RELENG_8_1:1.19.2.2.0.4
	RELENG_8_1_BP:1.19.2.2
	RELENG_7_3_0_RELEASE:1.16.10.1
	RELENG_7_3:1.16.0.10
	RELENG_7_3_BP:1.16
	RELENG_8_0_0_RELEASE:1.19.2.2.2.1
	RELENG_8_0:1.19.2.2.0.2
	RELENG_8_0_BP:1.19.2.2
	RELENG_8:1.19.0.2
	RELENG_8_BP:1.19
	RELENG_7_2_0_RELEASE:1.16.8.1
	RELENG_7_2:1.16.0.8
	RELENG_7_2_BP:1.16
	RELENG_7_1_0_RELEASE:1.16.6.1
	RELENG_6_4_0_RELEASE:1.7.2.5.4.1
	RELENG_7_1:1.16.0.6
	RELENG_7_1_BP:1.16
	RELENG_6_4:1.7.2.5.0.4
	RELENG_6_4_BP:1.7.2.5
	RELENG_7_0_0_RELEASE:1.16
	RELENG_6_3_0_RELEASE:1.7.2.5
	RELENG_7_0:1.16.0.4
	RELENG_7_0_BP:1.16
	RELENG_6_3:1.7.2.5.0.2
	RELENG_6_3_BP:1.7.2.5
	RELENG_7:1.16.0.2
	RELENG_7_BP:1.16
	RELENG_6_2_0_RELEASE:1.7.2.4
	RELENG_6_2:1.7.2.4.0.4
	RELENG_6_2_BP:1.7.2.4
	RELENG_5_5_0_RELEASE:1.3.2.3
	RELENG_5_5:1.3.2.3.0.2
	RELENG_5_5_BP:1.3.2.3
	RELENG_6_1_0_RELEASE:1.7.2.4
	RELENG_6_1:1.7.2.4.0.2
	RELENG_6_1_BP:1.7.2.4
	RELENG_6_0_0_RELEASE:1.7.2.1
	RELENG_6_0:1.7.2.1.0.2
	RELENG_6_0_BP:1.7.2.1
	RELENG_6:1.7.0.2
	RELENG_6_BP:1.7
	RELENG_5_4_0_RELEASE:1.3.2.2
	RELENG_5_4:1.3.2.2.0.2
	RELENG_5_4_BP:1.3.2.2
	RELENG_5_3_0_RELEASE:1.3.2.1
	RELENG_5_3:1.3.2.1.0.2
	RELENG_5_3_BP:1.3.2.1
	RELENG_5:1.3.0.2
	RELENG_5_BP:1.3;
locks; strict;
comment	@# @;


1.24
date	2012.11.17.01.49.05;	author svnexp;	state Exp;
branches
	1.24.2.1;
next	1.23;

1.23
date	2012.01.14.02.18.41;	author dougb;	state Exp;
branches;
next	1.22;

1.22
date	2011.05.17.07.40.13;	author hrs;	state Exp;
branches
	1.22.2.1;
next	1.21;

1.21
date	2010.12.17.09.38.55;	author kevlo;	state Exp;
branches;
next	1.20;

1.20
date	2009.10.10.22.17.03;	author dougb;	state Exp;
branches;
next	1.19;

1.19
date	2009.06.26.01.04.50;	author dougb;	state Exp;
branches
	1.19.2.1;
next	1.18;

1.18
date	2009.06.01.05.35.03;	author dougb;	state Exp;
branches;
next	1.17;

1.17
date	2008.07.11.08.11.49;	author mtm;	state Exp;
branches;
next	1.16;

1.16
date	2007.04.09.08.53.40;	author des;	state Exp;
branches
	1.16.2.1
	1.16.6.1
	1.16.8.1
	1.16.10.1
	1.16.12.1;
next	1.15;

1.15
date	2007.04.02.22.53.07;	author des;	state Exp;
branches;
next	1.14;

1.14
date	2006.12.31.10.37.18;	author yar;	state Exp;
branches;
next	1.13;

1.13
date	2006.06.05.03.47.14;	author obrien;	state Exp;
branches;
next	1.12;

1.12
date	2005.11.10.10.40.15;	author rse;	state Exp;
branches;
next	1.11;

1.11
date	2005.11.03.13.17.49;	author rse;	state Exp;
branches;
next	1.10;

1.10
date	2005.10.02.19.17.49;	author yar;	state Exp;
branches;
next	1.9;

1.9
date	2005.10.02.19.12.42;	author yar;	state Exp;
branches;
next	1.8;

1.8
date	2005.09.24.15.57.17;	author pjd;	state Exp;
branches;
next	1.7;

1.7
date	2005.04.04.23.06.10;	author seanc;	state Exp;
branches
	1.7.2.1;
next	1.6;

1.6
date	2004.10.25.08.12.28;	author pjd;	state Exp;
branches;
next	1.5;

1.5
date	2004.10.07.13.55.26;	author mtm;	state Exp;
branches;
next	1.4;

1.4
date	2004.09.16.17.04.20;	author keramida;	state Exp;
branches;
next	1.3;

1.3
date	2004.06.23.01.42.06;	author mlaier;	state Exp;
branches
	1.3.2.1;
next	1.2;

1.2
date	2004.04.02.19.25.27;	author mlaier;	state Exp;
branches;
next	1.1;

1.1
date	2004.03.23.22.30.15;	author mlaier;	state Exp;
branches;
next	;

1.24.2.1
date	2012.11.17.01.49.05;	author svnexp;	state dead;
branches;
next	1.24.2.2;

1.24.2.2
date	2013.03.28.13.02.44;	author svnexp;	state Exp;
branches;
next	;

1.22.2.1
date	2011.09.23.00.51.37;	author kensmith;	state Exp;
branches
	1.22.2.1.2.1;
next	1.22.2.2;

1.22.2.2
date	2012.02.14.10.16.56;	author dougb;	state Exp;
branches
	1.22.2.2.2.1;
next	1.22.2.3;

1.22.2.3
date	2012.11.17.11.36.11;	author svnexp;	state Exp;
branches;
next	;

1.22.2.1.2.1
date	2011.11.11.04.20.22;	author kensmith;	state Exp;
branches;
next	1.22.2.1.2.2;

1.22.2.1.2.2
date	2012.11.17.08.36.11;	author svnexp;	state Exp;
branches;
next	;

1.22.2.2.2.1
date	2012.08.05.23.54.33;	author kensmith;	state Exp;
branches;
next	1.22.2.2.2.2;

1.22.2.2.2.2
date	2012.11.17.08.47.01;	author svnexp;	state Exp;
branches;
next	;

1.19.2.1
date	2009.08.03.08.13.06;	author kensmith;	state Exp;
branches;
next	1.19.2.2;

1.19.2.2
date	2009.10.16.00.17.09;	author dougb;	state Exp;
branches
	1.19.2.2.2.1
	1.19.2.2.4.1
	1.19.2.2.6.1;
next	1.19.2.3;

1.19.2.3
date	2012.02.14.10.17.14;	author dougb;	state Exp;
branches
	1.19.2.3.2.1;
next	1.19.2.4;

1.19.2.4
date	2012.11.17.10.35.57;	author svnexp;	state Exp;
branches;
next	;

1.19.2.2.2.1
date	2009.10.25.01.10.29;	author kensmith;	state Exp;
branches;
next	;

1.19.2.2.4.1
date	2010.06.14.02.09.06;	author kensmith;	state Exp;
branches;
next	;

1.19.2.2.6.1
date	2010.12.21.17.09.25;	author kensmith;	state Exp;
branches;
next	;

1.19.2.3.2.1
date	2012.03.03.06.15.13;	author kensmith;	state Exp;
branches;
next	1.19.2.3.2.2;

1.19.2.3.2.2
date	2012.11.17.08.24.38;	author svnexp;	state Exp;
branches;
next	;

1.16.2.1
date	2012.02.14.10.17.30;	author dougb;	state Exp;
branches;
next	1.16.2.2;

1.16.2.2
date	2012.11.17.08.01.22;	author svnexp;	state Exp;
branches;
next	;

1.16.6.1
date	2008.11.25.02.59.29;	author kensmith;	state Exp;
branches;
next	;

1.16.8.1
date	2009.04.15.03.14.26;	author kensmith;	state Exp;
branches;
next	;

1.16.10.1
date	2010.02.10.00.26.20;	author kensmith;	state Exp;
branches;
next	;

1.16.12.1
date	2010.12.21.17.10.29;	author kensmith;	state Exp;
branches;
next	1.16.12.2;

1.16.12.2
date	2012.11.17.08.16.37;	author svnexp;	state Exp;
branches;
next	;

1.7.2.1
date	2005.10.08.03.32.53;	author yar;	state Exp;
branches;
next	1.7.2.2;

1.7.2.2
date	2005.11.10.07.32.35;	author rse;	state Exp;
branches;
next	1.7.2.3;

1.7.2.3
date	2006.01.21.22.09.32;	author yar;	state Exp;
branches;
next	1.7.2.4;

1.7.2.4
date	2006.01.22.13.45.28;	author yar;	state Exp;
branches;
next	1.7.2.5;

1.7.2.5
date	2007.05.24.16.14.37;	author des;	state Exp;
branches
	1.7.2.5.4.1;
next	1.7.2.6;

1.7.2.6
date	2012.11.17.07.39.08;	author svnexp;	state Exp;
branches;
next	;

1.7.2.5.4.1
date	2008.10.02.02.57.24;	author kensmith;	state Exp;
branches;
next	;

1.3.2.1
date	2004.10.10.09.50.54;	author mtm;	state Exp;
branches;
next	1.3.2.2;

1.3.2.2
date	2004.12.10.19.11.26;	author rse;	state Exp;
branches;
next	1.3.2.3;

1.3.2.3
date	2005.07.23.12.18.35;	author pjd;	state Exp;
branches;
next	;


desc
@@


1.24
log
@Switching exporter and resync
@
text
@#!/bin/sh
#
# $FreeBSD: head/etc/rc.d/pf 230099 2012-01-14 02:18:41Z dougb $
#

# PROVIDE: pf
# REQUIRE: FILESYSTEMS netif pflog pfsync
# BEFORE:  routing
# KEYWORD: nojail

. /etc/rc.subr

name="pf"
rcvar="pf_enable"
load_rc_config $name
start_cmd="pf_start"
stop_cmd="pf_stop"
check_cmd="pf_check"
reload_cmd="pf_reload"
resync_cmd="pf_resync"
status_cmd="pf_status"
extra_commands="check reload resync"
required_files="$pf_rules"
required_modules="pf"

pf_start()
{
	check_startmsgs && echo -n 'Enabling pf'
	$pf_program -F all > /dev/null 2>&1
	$pf_program -f "$pf_rules" $pf_flags
	if ! $pf_program -s info | grep -q "Enabled" ; then
		$pf_program -eq
	fi
	check_startmsgs && echo '.'
}

pf_stop()
{
	if $pf_program -s info | grep -q "Enabled" ; then
		echo -n 'Disabling pf'
		$pf_program -dq
		echo '.'
	fi
}

pf_check()
{
	echo "Checking pf rules."
	$pf_program -n -f "$pf_rules"
}

pf_reload()
{
	echo "Reloading pf rules."
	$pf_program -n -f "$pf_rules" || return 1
	# Flush everything but existing state entries that way when
	# rules are read in, it doesn't break established connections.
	$pf_program -Fnat -Fqueue -Frules -FSources -Finfo -FTables -Fosfp > /dev/null 2>&1
	$pf_program -f "$pf_rules" $pf_flags
}

pf_resync()
{
	$pf_program -f "$pf_rules" $pf_flags
}

pf_status()
{
	$pf_program -s info
}

run_rc_command "$1"
@


1.24.2.1
log
@file pf was added on branch RELENG_8_4 on 2013-03-28 13:02:44 +0000
@
text
@d1 72
@


1.24.2.2
log
@## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/248810
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
@
text
@a0 72
#!/bin/sh
#
# $FreeBSD: releng/8.4/etc/rc.d/pf 231655 2012-02-14 10:17:14Z dougb $
#

# PROVIDE: pf
# REQUIRE: FILESYSTEMS netif pflog pfsync
# BEFORE:  routing
# KEYWORD: nojail

. /etc/rc.subr

name="pf"
rcvar="pf_enable"
load_rc_config $name
start_cmd="pf_start"
stop_cmd="pf_stop"
check_cmd="pf_check"
reload_cmd="pf_reload"
resync_cmd="pf_resync"
status_cmd="pf_status"
extra_commands="check reload resync status"
required_files="$pf_rules"
required_modules="pf"

pf_start()
{
	check_startmsgs && echo -n 'Enabling pf'
	$pf_program -F all > /dev/null 2>&1
	$pf_program -f "$pf_rules" $pf_flags
	if ! $pf_program -s info | grep -q "Enabled" ; then
		$pf_program -e
	fi
	check_startmsgs && echo '.'
}

pf_stop()
{
	if $pf_program -s info | grep -q "Enabled" ; then
		echo -n 'Disabling pf'
		$pf_program -d
		echo '.'
	fi
}

pf_check()
{
	echo "Checking pf rules."
	$pf_program -n -f "$pf_rules"
}

pf_reload()
{
	echo "Reloading pf rules."
	$pf_program -n -f "$pf_rules" || return 1
	# Flush everything but existing state entries that way when
	# rules are read in, it doesn't break established connections.
	$pf_program -Fnat -Fqueue -Frules -FSources -Finfo -FTables -Fosfp > /dev/null 2>&1
	$pf_program -f "$pf_rules" $pf_flags
}

pf_resync()
{
	$pf_program -f "$pf_rules" $pf_flags
}

pf_status()
{
	$pf_program -s info
}

run_rc_command "$1"
@


1.23
log
@SVN rev 230099 on 2012-01-14 02:18:41Z by dougb

Prepare for the removal of set_rcvar() by changing the rcvar=
assignments to the literal values it would have returned.

The concept of set_rcvar() was nice in theory, but the forks
it creates are a drag on the startup process, which is especially
noticeable on slower systems, such as embedded ones.

During the discussion on freebsd-rc@@ a preference was expressed for
using ${name}_enable instead of the literal values. However the
code portability concept doesn't really apply since there are so
many other places where the literal name has to be searched for
and replaced. Also, using the literal value is also a tiny bit
faster than dereferencing the variables, and every little bit helps.
@
text
@d3 1
a3 1
# $FreeBSD$
@


1.22
log
@SVN rev 222007 on 2011-05-17 07:40:13Z by hrs

Remove redundant keywords.

Submitted by:	wxs
@
text
@d14 1
a14 1
rcvar=`set_rcvar`
@


1.22.2.1
log
@SVN rev 225736 on 2011-09-23 00:51:37Z by kensmith

Copy head to stable/9 as part of 9.0-RELEASE release cycle.

Approved by:	re (implicit)
@
text
@@


1.22.2.2
log
@SVN rev 231653 on 2012-02-14 10:16:56Z by dougb

MFC r230099:

Change rcvar= assignments to the literal values set_rcvar
would have returned. This will slightly reduce boot time,
and help in diff reduction to HEAD.
@
text
@d14 1
a14 1
rcvar="pf_enable"
@


1.22.2.3
log
@## SVN ##
## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/ 242902
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
## SVN ##
## SVN ## ------------------------------------------------------------------------
## SVN ## r242902 | dteske | 2012-11-11 23:29:45 +0000 (Sun, 11 Nov 2012) | 10 lines
## SVN ##
## SVN ## Fix a regression introduced by SVN r211417 that saw the breakage of a feature
## SVN ## documented in usr.sbin/sysinstall/help/shortcuts.hlp (reproduced below):
## SVN ##
## SVN ## If /usr/sbin/sysinstall is linked to another filename, say
## SVN ## `/usr/local/bin/configPackages', then the basename will be used
## SVN ## as an implicit command name.
## SVN ##
## SVN ## Reviewed by:	adrian (co-mentor)
## SVN ## Approved by:	adrian (co-mentor)
## SVN ##
## SVN ## ------------------------------------------------------------------------
## SVN ##
@
text
@d3 1
a3 1
# $FreeBSD: stable/9/etc/rc.d/pf 231653 2012-02-14 10:16:56Z dougb $
@


1.22.2.2.2.1
log
@SVN rev 239080 on 2012-08-05 23:54:33Z by kensmith

Copy stable/9 to releng/9.1 as part of the 9.1-RELEASE release process.

Approved by:	re (implicit)
@
text
@@


1.22.2.2.2.2
log
@Switch importer
@
text
@d3 1
a3 1
# $FreeBSD: releng/9.1/etc/rc.d/pf 231653 2012-02-14 10:16:56Z dougb $
@


1.22.2.1.2.1
log
@SVN rev 227445 on 2011-11-11 04:20:22Z by kensmith

Copy stable/9 to releng/9.0 as part of the FreeBSD 9.0-RELEASE release
cycle.

Approved by:	re (implicit)
@
text
@@


1.22.2.1.2.2
log
@Switch importer
@
text
@d3 1
a3 1
# $FreeBSD: releng/9.0/etc/rc.d/pf 222007 2011-05-17 07:40:13Z hrs $
@


1.21
log
@SVN rev 216499 on 2010-12-17 09:38:55Z by kevlo

Add pf in quiet mode
@
text
@d22 1
a22 1
extra_commands="check reload resync status"
@


1.20
log
@SVN rev 197947 on 2009-10-10 22:17:03Z by dougb

In regards to the "Starting foo:" type messages at boot time, create and
employ a more generic solution, and use it in the individual rc.d scripts
that also have an $rc_quiet test:

1. Add check_startmsgs() to rc.subr.
2. In the rc.d scripts that use rc_quiet (and rc.subr) substitute
variations of [ -z "$rc_quiet" ] with check_startmsgs
3. In savecore add a trailing '.' to the end of the message to make it
more consistent with other scripts.
4. In newsyslog remove a : before the terminal '.' since we do not expect
there to be anything printed out in between to make it more consistent.
5. In the following scripts change "quotes" to 'quotes' where no variables
exist in the message: savecore pf newsyslog
6. In the following scripts substitute if/then/fi for the simpler (and
more consistent) check_startmsgs &&: faith stf
7. In the following scripts separate the "Starting foo:" from the terminal
'.' to make them more consistent: moused hostname pf
8. In nfsclient move the message to its own line to avoid a style bug
9. In pf rc_quiet does not apply to the _stop method, so remove the
test there.
10. In motd add 'quotes' around the terminal '.' for consistency
@
text
@d32 1
a32 1
		$pf_program -e
d41 1
a41 1
		$pf_program -d
@


1.19
log
@SVN rev 195026 on 2009-06-26 01:04:50Z by dougb

Reverse the effect of r193198 for pf and ipfw which will once again
allow them to start after netif. There were too many problems reported
with this change in the short period of time that it lived in HEAD, and
we are too late in the release cycle to properly shake it out.

IMO the issue of having the firewalls up before the network is still a
valid concern, particularly for pf whose default state is wide open.
However properly solving this issue is going to take some investment
on the part of the people who actually use those tools.

This is not a strict reversion of all the changes for r193198 since it
also included some simplification of the BEFORE/REQUIRE logic which is
still valid for ipfilter and ip6fw.
@
text
@d28 1
a28 1
	[ -z "${rc_quiet}" ] && echo "Enabling pf."
d34 1
d40 1
a40 1
		[ -z "${rc_quiet}" ] && echo "Disabling pf."
d42 1
@


1.19.2.1
log
@SVN rev 196045 on 2009-08-03 08:13:06Z by kensmith

Copy head to stable/8 as part of 8.0 Release cycle.

Approved by:	re (Implicit)
@
text
@@


1.19.2.2
log
@SVN rev 198164 on 2009-10-16 00:17:09Z by dougb

MFC r197947:

In regards to the "Starting foo:" type messages at boot time, create
and employ a more generic solution, and use it in the individual rc.d
scripts that also have an $rc_quiet test:

1. Add check_startmsgs() to rc.subr.
2. In the rc.d scripts that use rc_quiet (and rc.subr) substitute
variations of [ -z "$rc_quiet" ] with check_startmsgs
3. In savecore add a trailing '.' to the end of the message to make it
more consistent with other scripts.
4. In newsyslog remove a : before the terminal '.' since we do not
expect there to be anything printed out in between to make it more
consistent.
5. In the following scripts change "quotes" to 'quotes' where no
variables exist in the message: savecore pf newsyslog
6. [Does not apply in RELENG_8]
7. In the following scripts separate the "Starting foo:" from the
terminal '.' to make them more consistent: moused hostname pf
8. In nfsclient move the message to its own line to avoid a style bug
9. In pf rc_quiet does not apply to the _stop method, so remove the
test there.
10. In motd add 'quotes' around the terminal '.' for consistency

Approved by:	re (kib)
@
text
@d28 1
a28 1
	check_startmsgs && echo -n 'Enabling pf'
a33 1
	check_startmsgs && echo '.'
d39 1
a39 1
		echo -n 'Disabling pf'
a40 1
		echo '.'
@


1.19.2.3
log
@SVN rev 231655 on 2012-02-14 10:17:14Z by dougb

MFC r230099:

Change rcvar= assignments to the literal values set_rcvar
would have returned. This will slightly reduce boot time,
and help in diff reduction to HEAD.
@
text
@d14 1
a14 1
rcvar="pf_enable"
@


1.19.2.4
log
@## SVN ##
## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/ 242909
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
## SVN ##
## SVN ## ------------------------------------------------------------------------
## SVN ## r242909 | dim | 2012-11-12 07:47:19 +0000 (Mon, 12 Nov 2012) | 20 lines
## SVN ##
## SVN ## MFC r242625:
## SVN ##
## SVN ## Remove duplicate const specifiers in many drivers (I hope I got all of
## SVN ## them, please let me know if not).  Most of these are of the form:
## SVN ##
## SVN ## static const struct bzzt_type {
## SVN ##       [...list of members...]
## SVN ## } const bzzt_devs[] = {
## SVN ##       [...list of initializers...]
## SVN ## };
## SVN ##
## SVN ## The second const is unnecessary, as arrays cannot be modified anyway,
## SVN ## and if the elements are const, the whole thing is const automatically
## SVN ## (e.g. it is placed in .rodata).
## SVN ##
## SVN ## I have verified this does not change the binary output of a full kernel
## SVN ## build (except for build timestamps embedded in the object files).
## SVN ##
## SVN ## Reviewed by:	yongari, marius
## SVN ##
## SVN ## ------------------------------------------------------------------------
## SVN ##
@
text
@d3 1
a3 1
# $FreeBSD: stable/8/etc/rc.d/pf 231655 2012-02-14 10:17:14Z dougb $
@


1.19.2.3.2.1
log
@SVN rev 232438 on 2012-03-03 06:15:13Z by kensmith

Copy stable/8 to releng/8.3 as part of 8.3-RELEASE release cycle.

Approved by:	re (implicit)
@
text
@@


1.19.2.3.2.2
log
@Switch importer
@
text
@d3 1
a3 1
# $FreeBSD: releng/8.3/etc/rc.d/pf 231655 2012-02-14 10:17:14Z dougb $
@


1.19.2.2.6.1
log
@SVN rev 216617 on 2010-12-21 17:09:25Z by kensmith

Copy stable/8 to releng/8.2 in preparation for FreeBSD-8.2 release.

Approved by:	re (implicit)
@
text
@@


1.19.2.2.4.1
log
@SVN rev 209145 on 2010-06-14 02:09:06Z by kensmith

Copy stable/8 to releng/8.1 in preparation for 8.1-RC1.

Approved by:	re (implicit)
@
text
@@


1.19.2.2.2.1
log
@SVN rev 198460 on 2009-10-25 01:10:29Z by kensmith

Copy stable/8 to releng/8.0 as part of 8.0-RELEASE release procedure.

Approved by:	re (implicit)
@
text
@@


1.18
log
@SVN rev 193198 on 2009-06-01 05:35:03Z by dougb

Make the pf and ipfw firewalls start before netif, just like ipfilter
already does. This eliminates a logical inconsistency, and a small
window where the system is open after the network comes up.
@
text
@d7 1
a7 1
# REQUIRE: FILESYSTEMS pflog pfsync
@


1.17
log
@SVN rev 180440 on 2008-07-11 08:11:49Z by mtm

The pfctl(8) program is already pretty verbose, so don't print extra
information in quiet mode.
@
text
@d7 1
a7 1
# REQUIRE: FILESYSTEMS netif pflog pfsync
@


1.16
log
@FILESYSTEMS requires root, so requiring both of them is redundant.
@
text
@d28 1
a28 1
	echo "Enabling pf."
d39 1
a39 1
		echo "Disabling pf."
@


1.16.2.1
log
@SVN rev 231656 on 2012-02-14 10:17:30Z by dougb

MFC r230099:

Change rcvar= assignments to the literal values set_rcvar
would have returned. This will slightly reduce boot time,
and help in diff reduction to HEAD.
@
text
@d14 1
a14 1
rcvar="pf_enable"
@


1.16.2.2
log
@Switch importer
@
text
@d3 1
a3 1
# $FreeBSD: stable/7/etc/rc.d/pf 231656 2012-02-14 10:17:30Z dougb $
@


1.16.12.1
log
@SVN rev 216618 on 2010-12-21 17:10:29Z by kensmith

Copy stable/7 to releng/7.4 in preparation for FreeBSD-7.4 release.

Approved by:	re (implicit)
@
text
@@


1.16.12.2
log
@Switch importer
@
text
@d3 1
a3 1
# $FreeBSD: releng/7.4/etc/rc.d/pf 168531 2007-04-09 08:53:40Z des $
@


1.16.10.1
log
@SVN rev 203736 on 2010-02-10 00:26:20Z by kensmith

Copy stable/7 to releng/7.3 as part of the 7.3-RELEASE process.

Approved by:	re (implicit)
@
text
@@


1.16.8.1
log
@SVN rev 191087 on 2009-04-15 03:14:26Z by kensmith

Create releng/7.2 from stable/7 in preparation for 7.2-RELEASE.

Approved by:	re (implicit)
@
text
@@


1.16.6.1
log
@SVN rev 185281 on 2008-11-25 02:59:29Z by kensmith

Create releng/7.1 in preparation for moving into RC phase of 7.1 release
cycle.

Approved by:	re (implicit)
@
text
@@


1.15
log
@Add a dummy script, FILESYSTEMS, which depends on root and mountcritlocal
and takes over mountcritlocal's role as the early / late divider.  This
makes it far easier to add rc scripts which need to run early, such as a
startup script for zfs, which is right around the corner.

This change should be a no-op; I have verified that the only change in
rcorder's output is the insertion of FILESYSTEMS immediately after
mountcritlocal.

MFC after:	3 weeks
@
text
@d7 1
a7 1
# REQUIRE: root FILESYSTEMS netif pflog pfsync
@


1.14
log
@Use $required_modules wherever suitable.  Use load_kld() in special
cases.  So we get rid of quite a few lines of duplicated code.
@
text
@d7 1
a7 1
# REQUIRE: root mountcritlocal netif pflog pfsync
@


1.13
log
@Use an option form better matching the manual.
@
text
@a15 1
start_precmd="pf_prestart"
d24 1
a24 14

pf_prestart()
{
	# load pf kernel module if needed
	if ! kldstat -q -m pf ; then
		if kldload pf ; then
			info 'pf module loaded.'
		else
			warn 'pf module failed to load.'
			return 1
		fi
	fi
	return 0
}
@


1.12
log
@Backout r1.11...

> >   There is no need to explicitly add "status" to $extra_commands in
> >   the /etc/rc.d/pf script as it is implicitly added by /etc/rc.subr's
> >   run_rc_command() because of the existing $pf_program.
> >
> >   Submitted by:   Christoph Schug <chris@@schug.net>

...because as yar@@ points out: "[...] you were relying on evil
side-effects of the variable being named *_program. hose side-effect
have been eliminated since rc.subr rev. 1.42. [...] The point is that
the default "status" method is for rc.d scripts that handle startup and
shutdown of conventional daemons, and not for custom tasks like the pf
case."

The change is still valid in RELENG_6 (and still doesn't have to be
backed out) as long as rc.subr:r1.42 is not MFC'ed to RELENG_6, too.
@
text
@d43 1
a43 1
	$pf_program -Fall > /dev/null 2>&1
@


1.11
log
@There is no need to explicitly add "status" to $extra_commands in
the /etc/rc.d/pf script as it is implicitly added by /etc/rc.subr's
run_rc_command() because of the existing $pf_program.

Submitted by:	Christoph Schug <chris@@schug.net>
MFC after:	1 week
@
text
@d23 1
a23 1
extra_commands="check reload resync"
@


1.10
log
@Use available rc.subr features.
Reduce code duplication.
Follow the current style of rc.d scripting.
@
text
@d23 1
a23 1
extra_commands="check reload resync status"
@


1.9
log
@Record dependency on the newly introduced pfsync.

Start before routing for better system protection.
(pf used to start late during system boot, after
many a network daemon have started already, which
sucked from security POV.)

Remark: For maximum security, pf should start before
netif, but it would create a dependency loop because
pfsync has to start after netif, yet before pf.

Discussed with: mlaier on -pf
MFC after:	5 days
@
text
@a15 1
stop_precmd="test -f ${pf_rules}"
a18 1
check_precmd="$stop_precmd"
a19 1
reload_precmd="$stop_precmd"
a20 1
resync_precmd="$stop_precmd"
a21 1
status_precmd="$stop_precmd"
d24 1
d33 2
a34 1
			err 1 'pf module failed to load.'
d37 1
a37 6

	# check for pf rules
	if [ ! -r "${pf_rules}" ]; then
		warn 'pf: NO PF RULESET FOUND'
		return 1
	fi
d43 4
a46 4
	${pf_program:-/sbin/pfctl} -Fa > /dev/null 2>&1
	${pf_program:-/sbin/pfctl} -f "${pf_rules}" ${pf_flags}
	if ! ${pf_program:-/sbin/pfctl} -si | grep -q "Enabled" ; then
		${pf_program:-/sbin/pfctl} -e
d52 1
a52 1
	if ${pf_program:-/sbin/pfctl} -si | grep -q "Enabled" ; then
d54 1
a54 1
		${pf_program:-/sbin/pfctl} -d
d61 1
a61 2

	${pf_program:-/sbin/pfctl} -n -f "${pf_rules}"
d67 1
a67 2

	${pf_program:-/sbin/pfctl} -n -f "${pf_rules}" || return 1
d70 2
a71 2
	${pf_program:-/sbin/pfctl} -Fnat -Fqueue -Frules -FSources -Finfo -FTables -Fosfp > /dev/null 2>&1
	${pf_program:-/sbin/pfctl} -f "${pf_rules}" ${pf_flags}
d76 1
a76 2
	# Don't resync if pf is not loaded
	kldstat -q -m pf && ${pf_program:-/sbin/pfctl} -f "${pf_rules}" ${pf_flags}
d81 1
a81 1
	${pf_program:-/sbin/pfctl} -si
@


1.8
log
@Simplify the code by making use of 'kldstat -q -m <mod>'.

No objections from:	mlaier
@
text
@d7 2
a8 2
# REQUIRE: root mountcritlocal netif pflog
# BEFORE:  DAEMON LOGIN
@


1.7
log
@When reloading rules via rc.d/pf, flush everything but existing state
entries that way when rules are read in, it doesn't break established
connections.

Approved by:	mlaier
Reviewed by:	rc
MFC after:	3 weeks
@
text
@d33 2
a34 2
	if ! kldstat -v | grep -q pf\$; then
		if kldload pf; then
d87 1
a87 4
	if ! kldstat -v | grep -q pf\$ ; then
		 return
	fi
	${pf_program:-/sbin/pfctl} -f "${pf_rules}" ${pf_flags}
@


1.7.2.1
log
@MFC:

Add an rc.d script to start the pfsync interface after all
the conventional network interfaces have been started so that
pfsync can be attached to any of the latter.

Record the dependency of rc.d/pf on the newly added rc.d/pfsync.
Also make rc.d/pf start as early as before rc.d/routing to improve
system security.

Document rc.d/pfsync on pfsync(4) and rc.conf(5).

Approved by:	re (scottl), mlaier
@
text
@d7 2
a8 2
# REQUIRE: root mountcritlocal netif pflog pfsync
# BEFORE:  routing
@


1.7.2.2
log
@MFC r1.11:

| There is no need to explicitly add "status" to $extra_commands in
| the /etc/rc.d/pf script as it is implicitly added by /etc/rc.subr's
| run_rc_command() because of the existing $pf_program.
|
| Submitted by:   Christoph Schug <chris@@schug.net>
@
text
@d28 1
a28 1
extra_commands="check reload resync"
@


1.7.2.3
log
@MFC r1.12 -- back out r1.7.2.2.

As rse@@ agreed, "status" should stay in $extra_commands
if an rc.d script doesn't use $command and default methods
associated with it.  This is true since rc.subr r1.42.
With r1.42 merged to rc.subr on RELENG_6 (thanks Doug!),
it's right time to re-add "status" to $extra_commands in
this script.
@
text
@d28 1
a28 1
extra_commands="check reload resync status"
@


1.7.2.4
log
@MFC rev. 1.8, 1.10:

Simplify the code by making use of 'kldstat -q -m <mod>'.

Use available rc.subr features.
Reduce code duplication.
Follow the current style of rc.d scripting.
@
text
@d16 1
d20 1
d22 1
d24 1
d26 1
a28 1
required_files="$pf_rules"
d33 2
a34 2
	if ! kldstat -q -m pf ; then
		if kldload pf ; then
d37 1
a37 2
			warn 'pf module failed to load.'
			return 1
d40 6
a45 1
	return 0
d51 4
a54 4
	$pf_program -Fall > /dev/null 2>&1
	$pf_program -f "$pf_rules" $pf_flags
	if ! $pf_program -s info | grep -q "Enabled" ; then
		$pf_program -e
d60 1
a60 1
	if $pf_program -s info | grep -q "Enabled" ; then
d62 1
a62 1
		$pf_program -d
d69 2
a70 1
	$pf_program -n -f "$pf_rules"
d76 2
a77 1
	$pf_program -n -f "$pf_rules" || return 1
d80 2
a81 2
	$pf_program -Fnat -Fqueue -Frules -FSources -Finfo -FTables -Fosfp > /dev/null 2>&1
	$pf_program -f "$pf_rules" $pf_flags
d86 5
a90 1
	$pf_program -f "$pf_rules" $pf_flags
d95 1
a95 1
	$pf_program -s info
@


1.7.2.5
log
@MFC: add FILESYSTEMS
@
text
@d7 1
a7 1
# REQUIRE: root FILESYSTEMS netif pflog pfsync
@


1.7.2.6
log
@Switch importer
@
text
@d3 1
a3 1
# $FreeBSD: stable/6/etc/rc.d/pf 169945 2007-05-24 16:14:37Z des $
@


1.7.2.5.4.1
log
@SVN rev 183531 on 2008-10-02 02:57:24Z by kensmith

Create releng/6.4 from stable/6 in preparation for 6.4-RC1.

Approved by:	re (implicit)
@
text
@@


1.6
log
@- Add 'check' command for checking rules syntax.
- Before flushing rules in 'reload' command, check first if rules are
  correct.
- Do not duplicate checking if $pf_rules file exists.
@
text
@d78 3
a80 1
	${pf_program:-/sbin/pfctl} -Fa > /dev/null 2>&1
@


1.5
log
@Remove the requirement for the FreeBSD keyword as it no longer
makes any sense.

Discussed with: dougb, brooks
MFC after: 3 days
@
text
@d20 2
d28 1
a28 1
extra_commands="reload resync status"
d42 1
a42 2
	if [ ! -r "${pf_rules}" ]
	then
d52 1
a52 4
	if [ -r "${pf_rules}" ]; then
		${pf_program:-/sbin/pfctl} \
		    -f "${pf_rules}" ${pf_flags}
	fi
d66 7
d77 1
d79 1
a79 4
	if [ -r "${pf_rules}" ]; then
		${pf_program:-/sbin/pfctl} \
		    -f "${pf_rules}" ${pf_flags}
	fi
@


1.4
log
@We don't have any providers of `beforenetlkm' in FreeBSD.  Remove the
dependency to it from our rc.d scripts.

Approved by:	mtm
@
text
@d9 1
a9 1
# KEYWORD: FreeBSD nojail
@


1.3
log
@Swap order of ruleset load and enabling pf to work around a problem on altq
startup. Moreover, this is the "more logic" order.
@
text
@d7 1
a7 1
# REQUIRE: root beforenetlkm mountcritlocal netif pflog
@


1.3.2.1
log
@RCS file: /home/ncvs/src/etc/rc,v
----------------------------
revision 1.335
date: 2004/10/08 14:23:49;  author: mtm;  state: Exp;  lines: +0 -1
Remove an unused variable.

Submitted by: Pawel Worach <pawel.worach@@telia.com>
----------------------------
revision 1.334
date: 2004/10/07 13:55:25;  author: mtm;  state: Exp;  lines: +1 -1
Remove the requirement for the FreeBSD keyword as it no longer
makes any sense.

Discussed with: dougb, brooks
MFC after: 3 days
=============================================================================
RCS file: /home/ncvs/src/etc/rc.d/nsswitch,v
----------------------------
revision 1.4
date: 2004/09/16 17:03:12;  author: keramida;  state: Exp;  lines: +1 -1
Fix requirement of `network' to `NETWORK' because the former isn't
provided by any rc.d script.

Approved by:	mtm
=============================================================================
RCS file: /home/ncvs/src/etc/rc.d/pflog,v
----------------------------
revision 1.3
date: 2004/09/16 17:04:20;  author: keramida;  state: Exp;  lines: +1 -1
We don't have any providers of `beforenetlkm' in FreeBSD.  Remove the
dependency to it from our rc.d scripts.

Approved by:	mtm
=============================================================================

Approved by: re/scottl
@
text
@d9 1
a9 1
# KEYWORD: nojail
@


1.3.2.2
log
@MFC etc/rc.d/ike 1.3, etc/rc.d/pf 1.4, etc/rc.d/pflog 1.3:
    We don't have any providers of `beforenetlkm' in FreeBSD.
    Remove the dependency to it from our rc.d scripts.

This resolves the following rcorder(8) complains in 5.3-STABLE:

$ rcorder /etc/rc.d/* 2>&1 | grep rcorder
rcorder: requirement `beforenetlkm' in file `/etc/rc.d/ike' has no providers.
rcorder: requirement `beforenetlkm' in file `/etc/rc.d/pflog' has no providers.
rcorder: requirement `beforenetlkm' in file `/etc/rc.d/pf' has no providers.
@
text
@d7 1
a7 1
# REQUIRE: root mountcritlocal netif pflog
@


1.3.2.3
log
@MFC:	pf	1.7

When reloading rules via rc.d/pf, flush everything but existing state
entries that way when rules are read in, it doesn't break established
connections.

OK'ed by:	mlaier
Forgotten by:	seanc
@
text
@d72 1
a72 3
	# Flush everything but existing state entries that way when
	# rules are read in, it doesn't break established connections.
	${pf_program:-/sbin/pfctl} -Fnat -Fqueue -Frules -FSources -Finfo -FTables -Fosfp > /dev/null 2>&1
@


1.2
log
@Add rc.d script to start pflogd and add rcvars etc. Also document vars in
rc.conf(5) and put a sample entry to newsyslog.conf

Reviewed by:	-current
Approved by:	bms(mentor)
@
text
@a49 3
	if ! ${pf_program:-/sbin/pfctl} -si | grep -q "Enabled" ; then
		${pf_program:-/sbin/pfctl} -e
	fi
d54 3
@


1.1
log
@Add rc.d script for pf(4) (more to come once pflogd(8) works as well).
Update defaults and write some lines for rc.conf(5) also.
Mostly dup'ed from ipf

Reviewed by:	-current
Approved by:	bms(mentor)
@
text
@d7 1
a7 1
# REQUIRE: root beforenetlkm mountcritlocal netif
@

