head	1.33;
access;
symbols
	RELENG_8_4:1.33.0.2
	RELENG_9_1_0_RELEASE:1.31.2.2.2.2
	RELENG_9_1:1.31.2.2.0.2
	RELENG_9_1_BP:1.31.2.2
	RELENG_8_3_0_RELEASE:1.30.2.2.2.1
	RELENG_8_3:1.30.2.2.0.2
	RELENG_8_3_BP:1.30.2.2
	RELENG_9_0_0_RELEASE:1.31.2.1.2.1
	RELENG_9_0:1.31.2.1.0.2
	RELENG_9_0_BP:1.31.2.1
	RELENG_9:1.31.0.2
	RELENG_9_BP:1.31
	RELENG_7_4_0_RELEASE:1.28.2.1.8.1
	RELENG_8_2_0_RELEASE:1.30.2.1.6.1
	RELENG_7_4:1.28.2.1.0.8
	RELENG_7_4_BP:1.28.2.1
	RELENG_8_2:1.30.2.1.0.6
	RELENG_8_2_BP:1.30.2.1
	RELENG_8_1_0_RELEASE:1.30.2.1.4.1
	RELENG_8_1:1.30.2.1.0.4
	RELENG_8_1_BP:1.30.2.1
	RELENG_7_3_0_RELEASE:1.28.2.1.6.1
	RELENG_7_3:1.28.2.1.0.6
	RELENG_7_3_BP:1.28.2.1
	RELENG_8_0_0_RELEASE:1.30.2.1.2.1
	RELENG_8_0:1.30.2.1.0.2
	RELENG_8_0_BP:1.30.2.1
	RELENG_8:1.30.0.2
	RELENG_8_BP:1.30
	RELENG_7_2_0_RELEASE:1.28.2.1.4.1
	RELENG_7_2:1.28.2.1.0.4
	RELENG_7_2_BP:1.28.2.1
	RELENG_7_1_0_RELEASE:1.28.2.1.2.1
	RELENG_6_4_0_RELEASE:1.24.2.3.2.1
	RELENG_7_1:1.28.2.1.0.2
	RELENG_7_1_BP:1.28.2.1
	RELENG_6_4:1.24.2.3.0.2
	RELENG_6_4_BP:1.24.2.3
	RELENG_7_0_0_RELEASE:1.28.4.1
	RELENG_6_3_0_RELEASE:1.24.2.2
	RELENG_7_0:1.28.0.4
	RELENG_7_0_BP:1.28
	RELENG_6_3:1.24.2.2.0.2
	RELENG_6_3_BP:1.24.2.2
	RELENG_7:1.28.0.2
	RELENG_7_BP:1.28
	RELENG_6_2_0_RELEASE:1.24
	RELENG_6_2:1.24.0.8
	RELENG_6_2_BP:1.24
	RELENG_5_5_0_RELEASE:1.21.2.1
	RELENG_5_5:1.21.2.1.0.6
	RELENG_5_5_BP:1.21.2.1
	RELENG_6_1_0_RELEASE:1.24
	RELENG_6_1:1.24.0.6
	RELENG_6_1_BP:1.24
	RELENG_6_0_0_RELEASE:1.24
	RELENG_6_0:1.24.0.4
	RELENG_6_0_BP:1.24
	RELENG_6:1.24.0.2
	RELENG_6_BP:1.24
	RELENG_5_4_0_RELEASE:1.21.2.1
	RELENG_5_4:1.21.2.1.0.4
	RELENG_5_4_BP:1.21.2.1
	RELENG_5_3_0_RELEASE:1.21.2.1
	RELENG_5_3:1.21.2.1.0.2
	RELENG_5_3_BP:1.21.2.1
	RELENG_5:1.21.0.2
	RELENG_5_BP:1.21
	RELENG_5_2_1_RELEASE:1.14
	RELENG_5_2_0_RELEASE:1.14
	RELENG_5_2:1.14.0.2
	RELENG_5_2_BP:1.14
	RELENG_5_1_0_RELEASE:1.10
	RELENG_5_1:1.10.0.2
	RELENG_5_1_BP:1.10
	RELENG_5_0_0_RELEASE:1.5
	RELENG_5_0:1.5.0.2
	RELENG_5_0_BP:1.5
	head_20020621:1.1.1.2
	head_20010615:1.1.1.1
	NETBSD:1.1.1;
locks; strict;
comment	@# @;


1.33
date	2012.11.17.01.49.04;	author svnexp;	state Exp;
branches
	1.33.2.1;
next	1.32;

1.32
date	2012.01.14.02.18.41;	author dougb;	state Exp;
branches;
next	1.31;

1.31
date	2011.05.17.07.40.13;	author hrs;	state Exp;
branches
	1.31.2.1;
next	1.30;

1.30
date	2009.06.01.05.35.03;	author dougb;	state Exp;
branches
	1.30.2.1;
next	1.29;

1.29
date	2007.12.08.07.20.22;	author dougb;	state Exp;
branches;
next	1.28;

1.28
date	2007.04.09.08.53.40;	author des;	state Exp;
branches
	1.28.2.1
	1.28.4.1;
next	1.27;

1.27
date	2007.04.02.22.53.07;	author des;	state Exp;
branches;
next	1.26;

1.26
date	2006.12.31.10.37.18;	author yar;	state Exp;
branches;
next	1.25;

1.25
date	2006.11.11.10.48.34;	author ceri;	state Exp;
branches;
next	1.24;

1.24
date	2005.07.07.05.59.44;	author jkim;	state Exp;
branches
	1.24.2.1;
next	1.23;

1.23
date	2005.06.21.09.39.09;	author dd;	state Exp;
branches;
next	1.22;

1.22
date	2004.10.07.13.55.26;	author mtm;	state Exp;
branches;
next	1.21;

1.21
date	2004.04.23.15.43.13;	author darrenr;	state Exp;
branches
	1.21.2.1;
next	1.20;

1.20
date	2004.04.20.13.30.49;	author darrenr;	state Exp;
branches;
next	1.19;

1.19
date	2004.03.08.12.25.05;	author pjd;	state Exp;
branches;
next	1.18;

1.18
date	2004.03.05.07.43.38;	author mtm;	state Exp;
branches;
next	1.17;

1.17
date	2004.01.24.20.40.11;	author mux;	state Exp;
branches;
next	1.16;

1.16
date	2004.01.17.10.40.45;	author mtm;	state Exp;
branches;
next	1.15;

1.15
date	2004.01.17.10.16.38;	author mtm;	state Exp;
branches;
next	1.14;

1.14
date	2003.10.13.08.20.55;	author dougb;	state Exp;
branches;
next	1.13;

1.13
date	2003.10.03.11.57.43;	author mux;	state Exp;
branches;
next	1.12;

1.12
date	2003.09.27.13.50.47;	author mux;	state Exp;
branches;
next	1.11;

1.11
date	2003.07.30.18.53.59;	author mtm;	state Exp;
branches;
next	1.10;

1.10
date	2003.04.30.02.54.17;	author mtm;	state Exp;
branches;
next	1.9;

1.9
date	2003.04.30.02.19.38;	author mtm;	state Exp;
branches;
next	1.8;

1.8
date	2003.04.24.08.20.47;	author mtm;	state Exp;
branches;
next	1.7;

1.7
date	2003.03.22.14.53.23;	author ume;	state Exp;
branches;
next	1.6;

1.6
date	2003.03.05.17.16.22;	author ume;	state Exp;
branches;
next	1.5;

1.5
date	2002.11.02.08.21.25;	author ume;	state Exp;
branches;
next	1.4;

1.4
date	2002.10.12.10.31.31;	author schweikh;	state Exp;
branches;
next	1.3;

1.3
date	2002.09.06.16.18.05;	author gordon;	state Exp;
branches;
next	1.2;

1.2
date	2002.06.13.22.14.36;	author gordon;	state Exp;
branches;
next	1.1;

1.1
date	2001.06.16.07.16.14;	author obrien;	state Exp;
branches
	1.1.1.1;
next	;

1.33.2.1
date	2012.11.17.01.49.04;	author svnexp;	state dead;
branches;
next	1.33.2.2;

1.33.2.2
date	2013.03.28.13.02.43;	author svnexp;	state Exp;
branches;
next	;

1.31.2.1
date	2011.09.23.00.51.37;	author kensmith;	state Exp;
branches
	1.31.2.1.2.1;
next	1.31.2.2;

1.31.2.2
date	2012.02.14.10.16.56;	author dougb;	state Exp;
branches
	1.31.2.2.2.1;
next	1.31.2.3;

1.31.2.3
date	2012.11.17.11.36.11;	author svnexp;	state Exp;
branches;
next	;

1.31.2.1.2.1
date	2011.11.11.04.20.22;	author kensmith;	state Exp;
branches;
next	1.31.2.1.2.2;

1.31.2.1.2.2
date	2012.11.17.08.36.11;	author svnexp;	state Exp;
branches;
next	;

1.31.2.2.2.1
date	2012.08.05.23.54.33;	author kensmith;	state Exp;
branches;
next	1.31.2.2.2.2;

1.31.2.2.2.2
date	2012.11.17.08.47.01;	author svnexp;	state Exp;
branches;
next	;

1.30.2.1
date	2009.08.03.08.13.06;	author kensmith;	state Exp;
branches
	1.30.2.1.2.1
	1.30.2.1.4.1
	1.30.2.1.6.1;
next	1.30.2.2;

1.30.2.2
date	2012.02.14.10.17.14;	author dougb;	state Exp;
branches
	1.30.2.2.2.1;
next	1.30.2.3;

1.30.2.3
date	2012.11.17.10.35.56;	author svnexp;	state Exp;
branches;
next	;

1.30.2.1.2.1
date	2009.10.25.01.10.29;	author kensmith;	state Exp;
branches;
next	;

1.30.2.1.4.1
date	2010.06.14.02.09.06;	author kensmith;	state Exp;
branches;
next	;

1.30.2.1.6.1
date	2010.12.21.17.09.25;	author kensmith;	state Exp;
branches;
next	;

1.30.2.2.2.1
date	2012.03.03.06.15.13;	author kensmith;	state Exp;
branches;
next	1.30.2.2.2.2;

1.30.2.2.2.2
date	2012.11.17.08.24.38;	author svnexp;	state Exp;
branches;
next	;

1.28.2.1
date	2008.01.28.07.55.44;	author dougb;	state Exp;
branches
	1.28.2.1.2.1
	1.28.2.1.4.1
	1.28.2.1.6.1
	1.28.2.1.8.1;
next	1.28.2.2;

1.28.2.2
date	2012.02.14.10.17.30;	author dougb;	state Exp;
branches;
next	1.28.2.3;

1.28.2.3
date	2012.11.17.08.01.21;	author svnexp;	state Exp;
branches;
next	;

1.28.2.1.2.1
date	2008.11.25.02.59.29;	author kensmith;	state Exp;
branches;
next	;

1.28.2.1.4.1
date	2009.04.15.03.14.26;	author kensmith;	state Exp;
branches;
next	;

1.28.2.1.6.1
date	2010.02.10.00.26.20;	author kensmith;	state Exp;
branches;
next	;

1.28.2.1.8.1
date	2010.12.21.17.10.29;	author kensmith;	state Exp;
branches;
next	1.28.2.1.8.2;

1.28.2.1.8.2
date	2012.11.17.08.16.37;	author svnexp;	state Exp;
branches;
next	;

1.28.4.1
date	2008.01.28.07.58.31;	author dougb;	state Exp;
branches;
next	;

1.24.2.1
date	2006.12.31.17.49.38;	author ceri;	state Exp;
branches;
next	1.24.2.2;

1.24.2.2
date	2007.05.24.16.14.37;	author des;	state Exp;
branches;
next	1.24.2.3;

1.24.2.3
date	2008.01.28.08.22.32;	author dougb;	state Exp;
branches
	1.24.2.3.2.1;
next	1.24.2.4;

1.24.2.4
date	2012.11.17.07.39.07;	author svnexp;	state Exp;
branches;
next	;

1.24.2.3.2.1
date	2008.10.02.02.57.24;	author kensmith;	state Exp;
branches;
next	;

1.21.2.1
date	2004.10.10.09.50.53;	author mtm;	state Exp;
branches;
next	1.21.2.2;

1.21.2.2
date	2006.12.31.17.54.41;	author ceri;	state Exp;
branches;
next	;

1.1.1.1
date	2001.06.16.07.16.14;	author obrien;	state Exp;
branches;
next	1.1.1.2;

1.1.1.2
date	2002.06.21.19.07.21;	author obrien;	state Exp;
branches;
next	;


desc
@@


1.33
log
@Switching exporter and resync
@
text
@#!/bin/sh
#
# $FreeBSD: head/etc/rc.d/ipfilter 230099 2012-01-14 02:18:41Z dougb $
#

# PROVIDE: ipfilter
# REQUIRE: FILESYSTEMS
# KEYWORD: nojail

. /etc/rc.subr

name="ipfilter"
rcvar="ipfilter_enable"
load_rc_config $name
stop_precmd="test -f ${ipfilter_rules} -o -f ${ipv6_ipfilter_rules}"

start_precmd="$stop_precmd"
start_cmd="ipfilter_start"
stop_cmd="ipfilter_stop"
reload_precmd="$stop_precmd"
reload_cmd="ipfilter_reload"
resync_precmd="$stop_precmd"
resync_cmd="ipfilter_resync"
status_precmd="$stop_precmd"
status_cmd="ipfilter_status"
extra_commands="reload resync"
required_modules="ipl:ipfilter"

ipfilter_start()
{
	echo "Enabling ipfilter."
	if [ `sysctl -n net.inet.ipf.fr_running` -le 0 ]; then
		${ipfilter_program:-/sbin/ipf} -E
	fi
	${ipfilter_program:-/sbin/ipf} -Fa
	if [ -r "${ipfilter_rules}" ]; then
		${ipfilter_program:-/sbin/ipf} \
		    -f "${ipfilter_rules}" ${ipfilter_flags}
	fi
	${ipfilter_program:-/sbin/ipf} -6 -Fa
	if [ -r "${ipv6_ipfilter_rules}" ]; then
		${ipfilter_program:-/sbin/ipf} -6 \
		    -f "${ipv6_ipfilter_rules}" ${ipfilter_flags}
	fi
}

ipfilter_stop()
{
	# XXX - The ipf -D command is not effective for 'lkm's
	if [ `sysctl -n net.inet.ipf.fr_running` -eq 1 ]; then
		echo "Saving firewall state tables"
		${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags}
		echo "Disabling ipfilter."
		${ipfilter_program:-/sbin/ipf} -D
	fi
}

ipfilter_reload()
{
	echo "Reloading ipfilter rules."

	${ipfilter_program:-/sbin/ipf} -I -Fa
	if [ -r "${ipfilter_rules}" ]; then
		${ipfilter_program:-/sbin/ipf} -I \
		    -f "${ipfilter_rules}" ${ipfilter_flags}
		if [ $? -ne 0 ]; then
			err 1 'Load of rules into alternate set failed; aborting reload'
		fi
	fi
	${ipfilter_program:-/sbin/ipf} -I -6 -Fa
	if [ -r "${ipv6_ipfilter_rules}" ]; then
		${ipfilter_program:-/sbin/ipf} -I -6 \
		    -f "${ipv6_ipfilter_rules}" ${ipfilter_flags}
		if [ $? -ne 0 ]; then
			err 1 'Load of IPv6 rules into alternate set failed; aborting reload'
		fi
	fi
	${ipfilter_program:-/sbin/ipf} -s

}

ipfilter_resync()
{
	${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags}
}

ipfilter_status()
{
	${ipfilter_program:-/sbin/ipf} -V
}

run_rc_command "$1"
@


1.33.2.1
log
@file ipfilter was added on branch RELENG_8_4 on 2013-03-28 13:02:43 +0000
@
text
@d1 92
@


1.33.2.2
log
@## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/248810
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
@
text
@a0 92
#!/bin/sh
#
# $FreeBSD: releng/8.4/etc/rc.d/ipfilter 231655 2012-02-14 10:17:14Z dougb $
#

# PROVIDE: ipfilter
# REQUIRE: FILESYSTEMS
# KEYWORD: nojail

. /etc/rc.subr

name="ipfilter"
rcvar="ipfilter_enable"
load_rc_config $name
stop_precmd="test -f ${ipfilter_rules} -o -f ${ipv6_ipfilter_rules}"

start_precmd="$stop_precmd"
start_cmd="ipfilter_start"
stop_cmd="ipfilter_stop"
reload_precmd="$stop_precmd"
reload_cmd="ipfilter_reload"
resync_precmd="$stop_precmd"
resync_cmd="ipfilter_resync"
status_precmd="$stop_precmd"
status_cmd="ipfilter_status"
extra_commands="reload resync status"
required_modules="ipl:ipfilter"

ipfilter_start()
{
	echo "Enabling ipfilter."
	if [ `sysctl -n net.inet.ipf.fr_running` -le 0 ]; then
		${ipfilter_program:-/sbin/ipf} -E
	fi
	${ipfilter_program:-/sbin/ipf} -Fa
	if [ -r "${ipfilter_rules}" ]; then
		${ipfilter_program:-/sbin/ipf} \
		    -f "${ipfilter_rules}" ${ipfilter_flags}
	fi
	${ipfilter_program:-/sbin/ipf} -6 -Fa
	if [ -r "${ipv6_ipfilter_rules}" ]; then
		${ipfilter_program:-/sbin/ipf} -6 \
		    -f "${ipv6_ipfilter_rules}" ${ipfilter_flags}
	fi
}

ipfilter_stop()
{
	# XXX - The ipf -D command is not effective for 'lkm's
	if [ `sysctl -n net.inet.ipf.fr_running` -eq 1 ]; then
		echo "Saving firewall state tables"
		${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags}
		echo "Disabling ipfilter."
		${ipfilter_program:-/sbin/ipf} -D
	fi
}

ipfilter_reload()
{
	echo "Reloading ipfilter rules."

	${ipfilter_program:-/sbin/ipf} -I -Fa
	if [ -r "${ipfilter_rules}" ]; then
		${ipfilter_program:-/sbin/ipf} -I \
		    -f "${ipfilter_rules}" ${ipfilter_flags}
		if [ $? -ne 0 ]; then
			err 1 'Load of rules into alternate set failed; aborting reload'
		fi
	fi
	${ipfilter_program:-/sbin/ipf} -I -6 -Fa
	if [ -r "${ipv6_ipfilter_rules}" ]; then
		${ipfilter_program:-/sbin/ipf} -I -6 \
		    -f "${ipv6_ipfilter_rules}" ${ipfilter_flags}
		if [ $? -ne 0 ]; then
			err 1 'Load of IPv6 rules into alternate set failed; aborting reload'
		fi
	fi
	${ipfilter_program:-/sbin/ipf} -s

}

ipfilter_resync()
{
	${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags}
}

ipfilter_status()
{
	${ipfilter_program:-/sbin/ipf} -V
}

run_rc_command "$1"
@


1.32
log
@SVN rev 230099 on 2012-01-14 02:18:41Z by dougb

Prepare for the removal of set_rcvar() by changing the rcvar=
assignments to the literal values it would have returned.

The concept of set_rcvar() was nice in theory, but the forks
it creates are a drag on the startup process, which is especially
noticeable on slower systems, such as embedded ones.

During the discussion on freebsd-rc@@ a preference was expressed for
using ${name}_enable instead of the literal values. However the
code portability concept doesn't really apply since there are so
many other places where the literal name has to be searched for
and replaced. Also, using the literal value is also a tiny bit
faster than dereferencing the variables, and every little bit helps.
@
text
@d3 1
a3 1
# $FreeBSD$
@


1.31
log
@SVN rev 222007 on 2011-05-17 07:40:13Z by hrs

Remove redundant keywords.

Submitted by:	wxs
@
text
@d13 1
a13 1
rcvar=`set_rcvar`
@


1.31.2.1
log
@SVN rev 225736 on 2011-09-23 00:51:37Z by kensmith

Copy head to stable/9 as part of 9.0-RELEASE release cycle.

Approved by:	re (implicit)
@
text
@@


1.31.2.2
log
@SVN rev 231653 on 2012-02-14 10:16:56Z by dougb

MFC r230099:

Change rcvar= assignments to the literal values set_rcvar
would have returned. This will slightly reduce boot time,
and help in diff reduction to HEAD.
@
text
@d13 1
a13 1
rcvar="ipfilter_enable"
@


1.31.2.3
log
@## SVN ##
## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/ 242902
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
## SVN ##
## SVN ## ------------------------------------------------------------------------
## SVN ## r242902 | dteske | 2012-11-11 23:29:45 +0000 (Sun, 11 Nov 2012) | 10 lines
## SVN ##
## SVN ## Fix a regression introduced by SVN r211417 that saw the breakage of a feature
## SVN ## documented in usr.sbin/sysinstall/help/shortcuts.hlp (reproduced below):
## SVN ##
## SVN ## If /usr/sbin/sysinstall is linked to another filename, say
## SVN ## `/usr/local/bin/configPackages', then the basename will be used
## SVN ## as an implicit command name.
## SVN ##
## SVN ## Reviewed by:	adrian (co-mentor)
## SVN ## Approved by:	adrian (co-mentor)
## SVN ##
## SVN ## ------------------------------------------------------------------------
## SVN ##
@
text
@d3 1
a3 1
# $FreeBSD: stable/9/etc/rc.d/ipfilter 231653 2012-02-14 10:16:56Z dougb $
@


1.31.2.2.2.1
log
@SVN rev 239080 on 2012-08-05 23:54:33Z by kensmith

Copy stable/9 to releng/9.1 as part of the 9.1-RELEASE release process.

Approved by:	re (implicit)
@
text
@@


1.31.2.2.2.2
log
@Switch importer
@
text
@d3 1
a3 1
# $FreeBSD: releng/9.1/etc/rc.d/ipfilter 231653 2012-02-14 10:16:56Z dougb $
@


1.31.2.1.2.1
log
@SVN rev 227445 on 2011-11-11 04:20:22Z by kensmith

Copy stable/9 to releng/9.0 as part of the FreeBSD 9.0-RELEASE release
cycle.

Approved by:	re (implicit)
@
text
@@


1.31.2.1.2.2
log
@Switch importer
@
text
@d3 1
a3 1
# $FreeBSD: releng/9.0/etc/rc.d/ipfilter 222007 2011-05-17 07:40:13Z hrs $
@


1.30
log
@SVN rev 193198 on 2009-06-01 05:35:03Z by dougb

Make the pf and ipfw firewalls start before netif, just like ipfilter
already does. This eliminates a logical inconsistency, and a small
window where the system is open after the network comes up.
@
text
@d26 1
a26 1
extra_commands="reload resync status"
@


1.30.2.1
log
@SVN rev 196045 on 2009-08-03 08:13:06Z by kensmith

Copy head to stable/8 as part of 8.0 Release cycle.

Approved by:	re (Implicit)
@
text
@@


1.30.2.2
log
@SVN rev 231655 on 2012-02-14 10:17:14Z by dougb

MFC r230099:

Change rcvar= assignments to the literal values set_rcvar
would have returned. This will slightly reduce boot time,
and help in diff reduction to HEAD.
@
text
@d13 1
a13 1
rcvar="ipfilter_enable"
@


1.30.2.3
log
@## SVN ##
## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/ 242909
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
## SVN ##
## SVN ## ------------------------------------------------------------------------
## SVN ## r242909 | dim | 2012-11-12 07:47:19 +0000 (Mon, 12 Nov 2012) | 20 lines
## SVN ##
## SVN ## MFC r242625:
## SVN ##
## SVN ## Remove duplicate const specifiers in many drivers (I hope I got all of
## SVN ## them, please let me know if not).  Most of these are of the form:
## SVN ##
## SVN ## static const struct bzzt_type {
## SVN ##       [...list of members...]
## SVN ## } const bzzt_devs[] = {
## SVN ##       [...list of initializers...]
## SVN ## };
## SVN ##
## SVN ## The second const is unnecessary, as arrays cannot be modified anyway,
## SVN ## and if the elements are const, the whole thing is const automatically
## SVN ## (e.g. it is placed in .rodata).
## SVN ##
## SVN ## I have verified this does not change the binary output of a full kernel
## SVN ## build (except for build timestamps embedded in the object files).
## SVN ##
## SVN ## Reviewed by:	yongari, marius
## SVN ##
## SVN ## ------------------------------------------------------------------------
## SVN ##
@
text
@d3 1
a3 1
# $FreeBSD: stable/8/etc/rc.d/ipfilter 231655 2012-02-14 10:17:14Z dougb $
@


1.30.2.2.2.1
log
@SVN rev 232438 on 2012-03-03 06:15:13Z by kensmith

Copy stable/8 to releng/8.3 as part of 8.3-RELEASE release cycle.

Approved by:	re (implicit)
@
text
@@


1.30.2.2.2.2
log
@Switch importer
@
text
@d3 1
a3 1
# $FreeBSD: releng/8.3/etc/rc.d/ipfilter 231655 2012-02-14 10:17:14Z dougb $
@


1.30.2.1.6.1
log
@SVN rev 216617 on 2010-12-21 17:09:25Z by kensmith

Copy stable/8 to releng/8.2 in preparation for FreeBSD-8.2 release.

Approved by:	re (implicit)
@
text
@@


1.30.2.1.4.1
log
@SVN rev 209145 on 2010-06-14 02:09:06Z by kensmith

Copy stable/8 to releng/8.1 in preparation for 8.1-RC1.

Approved by:	re (implicit)
@
text
@@


1.30.2.1.2.1
log
@SVN rev 198460 on 2009-10-25 01:10:29Z by kensmith

Copy stable/8 to releng/8.0 as part of 8.0-RELEASE release procedure.

Approved by:	re (implicit)
@
text
@@


1.29
log
@Remove $NetBSD$ CVS tags. We no longer attempt to synch our rc.d files
with theirs, so this information doesn't need to be in the live file.
Having it in our CVS history is enough.
@
text
@a7 1
# BEFORE:  netif
@


1.28
log
@FILESYSTEMS requires root, so requiring both of them is redundant.
@
text
@a2 1
# $NetBSD: ipfilter,v 1.10 2001/02/28 17:03:50 lukem Exp $
@


1.28.4.1
log
@MFC the purely cosmetic changes, including removal of $NetBSD$ Ids,
a few spurious #'s, an empty REQUIRE, and a never-used KEYWORD.

Approved by:	re (kensmith)
@
text
@d3 1
@


1.28.2.1
log
@MFC the purely cosmetic changes, including removal of $NetBSD$ Ids,
a few spurious #'s, an empty REQUIRE, and a never-used KEYWORD.
@
text
@d3 1
@


1.28.2.2
log
@SVN rev 231656 on 2012-02-14 10:17:30Z by dougb

MFC r230099:

Change rcvar= assignments to the literal values set_rcvar
would have returned. This will slightly reduce boot time,
and help in diff reduction to HEAD.
@
text
@d14 1
a14 1
rcvar="ipfilter_enable"
@


1.28.2.3
log
@Switch importer
@
text
@d3 1
a3 1
# $FreeBSD: stable/7/etc/rc.d/ipfilter 231656 2012-02-14 10:17:30Z dougb $
@


1.28.2.1.8.1
log
@SVN rev 216618 on 2010-12-21 17:10:29Z by kensmith

Copy stable/7 to releng/7.4 in preparation for FreeBSD-7.4 release.

Approved by:	re (implicit)
@
text
@@


1.28.2.1.8.2
log
@Switch importer
@
text
@d3 1
a3 1
# $FreeBSD: releng/7.4/etc/rc.d/ipfilter 175736 2008-01-28 07:55:44Z dougb $
@


1.28.2.1.6.1
log
@SVN rev 203736 on 2010-02-10 00:26:20Z by kensmith

Copy stable/7 to releng/7.3 as part of the 7.3-RELEASE process.

Approved by:	re (implicit)
@
text
@@


1.28.2.1.4.1
log
@SVN rev 191087 on 2009-04-15 03:14:26Z by kensmith

Create releng/7.2 from stable/7 in preparation for 7.2-RELEASE.

Approved by:	re (implicit)
@
text
@@


1.28.2.1.2.1
log
@SVN rev 185281 on 2008-11-25 02:59:29Z by kensmith

Create releng/7.1 in preparation for moving into RC phase of 7.1 release
cycle.

Approved by:	re (implicit)
@
text
@@


1.27
log
@Add a dummy script, FILESYSTEMS, which depends on root and mountcritlocal
and takes over mountcritlocal's role as the early / late divider.  This
makes it far easier to add rc scripts which need to run early, such as a
startup script for zfs, which is right around the corner.

This change should be a no-op; I have verified that the only change in
rcorder's output is the insertion of FILESYSTEMS immediately after
mountcritlocal.

MFC after:	3 weeks
@
text
@d8 1
a8 1
# REQUIRE: root FILESYSTEMS
@


1.26
log
@Use $required_modules wherever suitable.  Use load_kld() in special
cases.  So we get rid of quite a few lines of duplicated code.
@
text
@d8 1
a8 1
# REQUIRE: root mountcritlocal
@


1.25
log
@Ensure that the load of rules into the alternate ruleset worked before
loading them into the live one too.

PR:		conf/97311
Submitted by:	David Bushong
Reviewed by:	silence on rc@@
Approved by:	ru (mentor)
MFC after:	10 days
@
text
@d19 1
a19 1
start_precmd="ipfilter_prestart"
d29 1
a29 29

ipfilter_loaded()
{
	if ! kldstat -v | grep "ipfilter$" > /dev/null 2>&1; then
		return 1
	else
		return 0
	fi
}

ipfilter_prestart()
{
	# load ipfilter kernel module if needed
	if ! ipfilter_loaded; then
		if kldload ipl; then
			info 'IP-filter module loaded.'
		else
			err 1 'IP-filter module failed to load.'
		fi
	fi

	# check for ipfilter rules
	if [ ! -r "${ipfilter_rules}" ] && [ ! -r "${ipv6_ipfilter_rules}" ]
	then
		warn 'IP-filter: NO IPF RULES'
		return 1
	fi
	return 0
}
a85 4
	# Don't resync if ipfilter is not loaded
	if ! ipfilter_loaded; then
		 return
	fi
@


1.24
log
@`net.inet.ipf.fr_running' can be a negative value, which was introduced by
recent ipfilter import.

Approved by:	re (scottl), anholt (mentor)
@
text
@d96 3
d104 3
@


1.24.2.1
log
@MFC revision 1.25:
  Ensure that the load of rules into the alternate ruleset worked before
  loading them into the live one too.

PR:		conf/97311
Approved by:	ru
@
text
@a95 3
		if [ $? -ne 0 ]; then
			err 1 'Load of rules into alternate set failed; aborting reload'
		fi
a100 3
		if [ $? -ne 0 ]; then
			err 1 'Load of IPv6 rules into alternate set failed; aborting reload'
		fi
@


1.24.2.2
log
@MFC: add FILESYSTEMS
@
text
@d8 1
a8 1
# REQUIRE: root FILESYSTEMS
@


1.24.2.3
log
@MFC the purely cosmetic changes, including removal of $NetBSD$ Ids,
a few spurious #'s, an empty REQUIRE, and a never-used KEYWORD.
@
text
@d3 1
@


1.24.2.4
log
@Switch importer
@
text
@d3 1
a3 1
# $FreeBSD: stable/6/etc/rc.d/ipfilter 175742 2008-01-28 08:22:33Z dougb $
@


1.24.2.3.2.1
log
@SVN rev 183531 on 2008-10-02 02:57:24Z by kensmith

Create releng/6.4 from stable/6 in preparation for 6.4-RC1.

Approved by:	re (implicit)
@
text
@@


1.23
log
@Unbreak the ipfilter_loaded function. There doesn't seem to be a way
for kldstat to ever print "IP Filter" (the module is called "ipfilter"
and modules don't have anything like a description), so this function
would always return false. That would cause prestart to attempt to
load the module even if it's already loaded, which would fail and
prevent the rules from being loaded.

Approved by:	re (dwhite)
@
text
@d62 1
a62 1
	if [ `sysctl -n net.inet.ipf.fr_running` -eq 0 ]; then
@


1.22
log
@Remove the requirement for the FreeBSD keyword as it no longer
makes any sense.

Discussed with: dougb, brooks
MFC after: 3 days
@
text
@d32 1
a32 1
	if ! kldstat -v | grep "IP Filter" > /dev/null 2>&1; then
@


1.21
log
@Change the dependency between these two scripts so that ipmon depends on
ipfilter rather than the other way around, preventing ipmon from exiting
at startup because ipfilter is not yet enabled (using the device results
too early results in ENXIO.)
@
text
@d10 1
a10 1
# KEYWORD: FreeBSD nojail
@


1.21.2.1
log
@RCS file: /home/ncvs/src/etc/rc,v
----------------------------
revision 1.335
date: 2004/10/08 14:23:49;  author: mtm;  state: Exp;  lines: +0 -1
Remove an unused variable.

Submitted by: Pawel Worach <pawel.worach@@telia.com>
----------------------------
revision 1.334
date: 2004/10/07 13:55:25;  author: mtm;  state: Exp;  lines: +1 -1
Remove the requirement for the FreeBSD keyword as it no longer
makes any sense.

Discussed with: dougb, brooks
MFC after: 3 days
=============================================================================
RCS file: /home/ncvs/src/etc/rc.d/nsswitch,v
----------------------------
revision 1.4
date: 2004/09/16 17:03:12;  author: keramida;  state: Exp;  lines: +1 -1
Fix requirement of `network' to `NETWORK' because the former isn't
provided by any rc.d script.

Approved by:	mtm
=============================================================================
RCS file: /home/ncvs/src/etc/rc.d/pflog,v
----------------------------
revision 1.3
date: 2004/09/16 17:04:20;  author: keramida;  state: Exp;  lines: +1 -1
We don't have any providers of `beforenetlkm' in FreeBSD.  Remove the
dependency to it from our rc.d scripts.

Approved by:	mtm
=============================================================================

Approved by: re/scottl
@
text
@d10 1
a10 1
# KEYWORD: nojail
@


1.21.2.2
log
@MFC revision 1.25:
  Ensure that the load of rules into the alternate ruleset worked before
  loading them into the live one too.

PR:             conf/97311
Approved by:    ru
@
text
@a95 3
		if [ $? -ne 0 ]; then
			err 1 'Load of rules into alternate set failed; aborting reload'
		fi
a100 3
		if [ $? -ne 0 ]; then
			err 1 'Load of IPv6 rules into alternate set failed; aborting reload'
		fi
@


1.20
log
@apply patch so pr can be closed

PR:		misc/56715
Submitted by:	grant@@NetBSD.org
Reviewed by:	darrenr
@
text
@@


1.19
log
@Mark scripts as not usable inside a jail by adding keyword 'nojail'.

Some suggestions from:	rwatson, Ruben de Groot <mail25@@bzerk.org>
@
text
@d8 1
a8 1
# REQUIRE: root mountcritlocal ipmon
@


1.18
log
@Remove scripts we don't use from requirement lines. These were
hold-overs from the initial NetBSD import.
@
text
@d10 1
a10 1
# KEYWORD: FreeBSD
@


1.17
log
@Move the test used to determine whether IPFilter is loaded or not
into its own function to avoid a small duplication of code.
@
text
@d8 1
a8 1
# REQUIRE: root beforenetlkm mountcritlocal ipmon
@


1.16
log
@Luke Mewburn has indicated that they (NetBSD) are not interested
in keeping the scripts under rc.d in sync with us. So, remove
NetBSD specific stuff (which made our scripts more complicated
than necessary).

The NetBSD ident string will be left intact, both for history and
also incase we wish to pull in future versions.
@
text
@d30 9
d42 1
a42 1
	if ! kldstat -v | grep "IP Filter" > /dev/null 2>&1; then
d109 1
a109 1
	if ! kldstat -v | grep "IP Filter" > /dev/null 2>&1; then
@


1.15
log
@Luke Mewburn has indicated that they (NetBSD) are not interested
in keeping the scripts under rc.d in sync with us. So, begin removal
of NetBSD specific stuff (which made our scripts more complicated
than necessary), starting with the NetBSD KEYWORD.
@
text
@d17 1
a17 9

case ${OSTYPE} in
FreeBSD)
	stop_precmd="test -f ${ipfilter_rules} -o -f ${ipv6_ipfilter_rules}"
	;;
NetBSD)
	stop_precmd="test -f /etc/ipf.conf -o -f /etc/ipf6.conf"
	;;
esac
a31 2
case ${OSTYPE} in
FreeBSD)
a46 17
	;;
NetBSD)
	if [ ! -f /etc/ipf.conf ] && [ ! -f /etc/ipf6.conf ]; then
		warn "/etc/ipf*.conf not readable; ipfilter start aborted."
			#
			# If booting directly to multiuser, send SIGTERM to
			# the parent (/etc/rc) to abort the boot
			#
		if [ "$autoboot" = yes ]; then
			echo "ERROR: ABORTING BOOT (sending SIGTERM to parent)!"
			kill -TERM $$
			exit 1
		fi
		return 1
	fi
	;;
esac
d53 13
a65 26
	case ${OSTYPE} in
	FreeBSD)
		if [ `sysctl -n net.inet.ipf.fr_running` -eq 0 ]; then
			${ipfilter_program:-/sbin/ipf} -E
		fi
		${ipfilter_program:-/sbin/ipf} -Fa
		if [ -r "${ipfilter_rules}" ]; then
			${ipfilter_program:-/sbin/ipf} \
			    -f "${ipfilter_rules}" ${ipfilter_flags}
		fi
		${ipfilter_program:-/sbin/ipf} -6 -Fa
		if [ -r "${ipv6_ipfilter_rules}" ]; then
			${ipfilter_program:-/sbin/ipf} -6 \
			    -f "${ipv6_ipfilter_rules}" ${ipfilter_flags}
		fi
		;;
	NetBSD)
		/sbin/ipf -E -Fa
		if [ -f /etc/ipf.conf ]; then
			/sbin/ipf -f /etc/ipf.conf
		fi
		if [ -f /etc/ipf6.conf ]; then
			/sbin/ipf -6 -f /etc/ipf6.conf
		fi
		;;
	esac
d72 4
a75 12
		case ${OSTYPE} in
		FreeBSD)
			echo "Saving firewall state tables"
			${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags}
			echo "Disabling ipfilter."
			${ipfilter_program:-/sbin/ipf} -D
			;;
		NetBSD)
			echo "Disabling ipfilter."
			/sbin/ipf -D
			;;
		esac
d83 11
a93 28
	case ${OSTYPE} in
	FreeBSD)
		${ipfilter_program:-/sbin/ipf} -I -Fa
		if [ -r "${ipfilter_rules}" ]; then
			${ipfilter_program:-/sbin/ipf} -I \
			    -f "${ipfilter_rules}" ${ipfilter_flags}
		fi
		${ipfilter_program:-/sbin/ipf} -I -6 -Fa
		if [ -r "${ipv6_ipfilter_rules}" ]; then
			${ipfilter_program:-/sbin/ipf} -I -6 \
			    -f "${ipv6_ipfilter_rules}" ${ipfilter_flags}
		fi
		${ipfilter_program:-/sbin/ipf} -s
		;;
	NetBSD)
		/sbin/ipf -I -Fa
		if [ -f /etc/ipf.conf ] && ! /sbin/ipf -I -f /etc/ipf.conf; then
			err 1 "reload of ipf.conf failed; not swapping to" \
			    " new ruleset."
		fi
		if [ -f /etc/ipf6.conf ] && \
		    ! /sbin/ipf -I -6 -f /etc/ipf6.conf; then
			err 1 "reload of ipf6.conf failed; not swapping to" \
			    " new ruleset."
		fi
		/sbin/ipf -s
		;;
	esac
d99 4
a102 8
	case ${OSTYPE} in
	FreeBSD)
		# Don't resync if ipfilter is not loaded
		if ! kldstat -v | grep "IP Filter" > /dev/null 2>&1; then
			 return
		fi
		;;
	esac
@


1.14
log
@Remove trailing whitespace
@
text
@d10 1
a10 1
# KEYWORD: FreeBSD NetBSD
@


1.13
log
@Fix bogon in ipfilter_resync() introduced in my last commit.

Spotted by:	Gennady Proskurin <gpr@@nvnpp.vrn.ru>
@
text
@d84 1
a84 1
		fi 
@


1.12
log
@A number of fixes/enhancements for the ipfilter rc script:
- Use a more robust check to determine if we need to load ipl.ko.
- Don't try to run ipf -E if ipfilter is already enabled.  Look at
  the net.inet.ipf.fr_running sysctl to figure this out.  This fixes
  a warning message about ipfilter being already initialized.
- Only one ipf -E command is needed.  We don't need an extra one for
  the -6 case which would only print a warning message about ipfilter
  being already initialized.
- Fix one occurence where we were running /sbin/ipf directly without
  using the ${ipfilter_program} variable if set.
- In ipfilter_stop(), don't try to save the firewall state tables if
  ipfilter is disabled.  Similarly, don't try to disable it if it's
  already disabled.  This fixes some more error messages.
@
text
@d167 3
a169 1
		[ kldstat -v | grep "IP Filter" > /dev/null 2>&1 ] && return
@


1.11
log
@tty whacking should occur early, but not so early that the
required commands are not on a mounted file system.

Noticed by: bde
@
text
@d43 1
a43 1
	if ! sysctl net.inet.ipf.fr_pass > /dev/null 2>&1; then
d82 4
a85 1
		${ipfilter_program:-/sbin/ipf} -EFa
d90 1
a90 1
		${ipfilter_program:-/sbin/ipf} -6 -EFa
d110 15
a124 11
	case ${OSTYPE} in
	FreeBSD)
		echo "Saving firewall state tables"
		${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags}
		;;
	NetBSD)
		;;
	esac
	# XXX - The following command is not effective for 'lkm's
	echo "Disabling ipfilter."
	/sbin/ipf -D
d167 1
a167 1
		[ sysctl net.inet.ipf.fr_pass > /dev/null 2>&1 ] && return
@


1.10
log
@o Make the 'Ip-filter module loaded' messages informational
o Make 'No ipnat rules' a warning
o Remove unecessary ' ..'

Approved by:	markm (implicit)
@
text
@d8 1
a8 1
# REQUIRE: root beforenetlkm mountcritlocal tty ipmon
@


1.9
log
@Running the script with restart or manually stopping and starting
it doesn't work because the start_cmd doesn't enable ipfilter if
it is currently disabled.

Approved by:	markm (mentor) (implicit)
Submitted by:	Michael Lyngbl <lyngbol@@bifrost.lyngbol.dk>
PR:		conf/46103
@
text
@d45 1
a45 1
			echo 'IP-filter module loaded.'
@


1.8
log
@Make ipfilter, ipnat, ipmon, and ipfs behave more like the old rc.
	o group them together so they run one right after another
	o use the NetBSD supplied ipfs script instead of tacking
	  it on to the end of ipnat
	o Load the ipl module in ipnat and ipfilter, if it's not already
	  loaded
	o In ipmon and ipnat show a warning if neither ipfilter nor
	  ipnat is enabled or the ipl module is not loaded, and exit

Approved by:	markm (mentor) (implicit)
Tested by:	leafy <leafy@@leafy.idv.tw>
@
text
@d82 1
a82 1
		${ipfilter_program:-/sbin/ipf} -Fa
d87 1
a87 1
		${ipfilter_program:-/sbin/ipf} -6 -Fa
@


1.7
log
@add missing `ipf -s'.

Submitted by:	Mark Huizer <xaa+freebsd@@timewasters.nl>
@
text
@d8 2
a9 1
# REQUIRE: root beforenetlkm mountcritlocal tty
d47 1
a47 2
			warn 'IP-filter module failed to load.'
			return 1
@


1.6
log
@Latest IPFilter requires flushing rules for IPv6 separately
from IPv4.
@
text
@d136 1
@


1.5
log
@Add IPv6 setup for ipfilter.  `ipv6_ipfilter_rules' was added
to specify rules definition file for ipfilter.  The default is
/etc/ipf6.rules.  If there is a file which is specified by
'ipv6_ipfilter_rules', IPv6 rule is installed.

Reviewed by:	Ronald van der Pol <Ronald.vanderPol@@rvdp.org>
MFC after:	1 week
@
text
@d87 1
d131 1
@


1.4
log
@Fix style bugs:
* Space -> tabs conversion.
* Removed blanks before semicolon in "if ... ; then".
* Proper indentation of misindented lines.
* Put a full stop after some comments.
* Removed whitespace at end of line.

Approved by:	silence from gordon
@
text
@d19 1
a19 1
	stop_precmd="test -f ${ipfilter_rules}"
d52 2
a53 1
	if [ ! -r "${ipfilter_rules}" ]; then
d82 9
a90 2
		${ipfilter_program:-/sbin/ipf} -Fa -f \
		    "${ipfilter_rules}" ${ipfilter_flags}
d125 9
a133 2
		${ipfilter_program:-/sbin/ipf} -I -Fa -f \
		    "${ipfilter_rules}" ${ipfilter_flags}
@


1.3
log
@Convert from `${CMD_OSTYPE}` to ${OSTYPE}. This saves a shell invocation on
OS-dependent case switches.
@
text
@d43 1
a43 1
		if kldload ipl ; then
d82 1
a82 1
	    	    "${ipfilter_rules}" ${ipfilter_flags}
d118 1
a118 1
	    	    "${ipfilter_rules}" ${ipfilter_flags}
@


1.2
log
@Merge in all the changes that Mike Makonnen has been maintaining for a
while. This is only the script pieces, the glue for the build comes next.

Submitted by:	Mike Makonnen <makonnen@@pacbell.net>
Reviewed by:	silence on -current and -hackers
Prodded by:	rwatson
@
text
@d17 1
a17 1
case `${CMD_OSTYPE}` in
d39 1
a39 1
case `${CMD_OSTYPE}` in
d79 1
a79 1
	case `${CMD_OSTYPE}` in
d98 1
a98 1
	case `${CMD_OSTYPE}` in
d115 1
a115 1
	case `${CMD_OSTYPE}` in
d139 1
a139 1
	case `${CMD_OSTYPE}` in
@


1.1
log
@Initial revision
@
text
@d3 2
a4 1
# $NetBSD: ipfilter,v 1.8 2000/10/01 05:58:06 lukem Exp $
d9 1
d14 12
a25 1
rcvar=$name
a27 1
stop_precmd="test -f /etc/ipf.conf -o -f /etc/ipf6.conf"
d31 2
d35 1
a35 1
extra_commands="reload status"
d39 19
d71 2
d79 15
a93 7
	/sbin/ipf -E -Fa
	if [ -f /etc/ipf.conf ]; then
		/sbin/ipf -f /etc/ipf.conf
	fi
	if [ -f /etc/ipf6.conf ]; then
		/sbin/ipf -6 -f /etc/ipf6.conf
	fi
d98 9
d115 31
a145 8
	/sbin/ipf -I -Fa
	if [ -f /etc/ipf.conf ] && ! /sbin/ipf -I -f /etc/ipf.conf; then
		err 1 "reload of ipf.conf failed; not swapping to new ruleset."
	fi
	if [ -f /etc/ipf6.conf ] && ! /sbin/ipf -I -6 -f /etc/ipf6.conf; then
		err 1 "reload of ipf6.conf failed; not swapping to new ruleset."
	fi
	/sbin/ipf -s
d150 1
a150 1
	/sbin/ipf -V
a152 1
load_rc_config $name
@


1.1.1.1
log
@Import the NetBSD 1.5 RC system.

Note that `rc' and `rc.shutdown' could not be imported because we already
have files with those names.
@
text
@@


1.1.1.2
log
@Sync with NetBSD's mainline.
@
text
@d3 1
a3 1
# $NetBSD: ipfilter,v 1.9 2000/10/09 06:11:38 nisimura Exp $
a18 2
resync_precmd="$stop_precmd"
resync_cmd="ipfilter_resync"
d21 1
a21 1
extra_commands="reload resync status"
a70 5
}

ipfilter_resync()
{
	/sbin/ipf -y
@

