git: 6739198793e4 - stable/13 - ipfilter: Set ipf -T optionlist at boot
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 19 Nov 2024 00:28:12 UTC
The branch stable/13 has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=6739198793e469f9f9c414ddad49b7c0e08eb03e commit 6739198793e469f9f9c414ddad49b7c0e08eb03e Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2024-10-30 19:28:31 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2024-11-19 00:27:06 +0000 ipfilter: Set ipf -T optionlist at boot There is no easy way to set ipfilter optionlist variables during boot. Add plumbing to the rc script to support this. PR: 130555 Reviewed by: jlduran Differential Revision: https://reviews.freebsd.org/D47346 (cherry picked from commit 8d6feaaaa26f444abb209360e52b993e39cb81bb) --- libexec/rc/rc.conf | 1 + libexec/rc/rc.d/ipfilter | 8 +++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/libexec/rc/rc.conf b/libexec/rc/rc.conf index 6c9a58ff72c1..5e70aa5cbc06 100644 --- a/libexec/rc/rc.conf +++ b/libexec/rc/rc.conf @@ -217,6 +217,7 @@ ipfilter_program="/sbin/ipf" # where the ipfilter program lives ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see # /usr/src/contrib/ipfilter/rules for examples ipfilter_flags="" # additional flags for ipfilter +ipfilter_optionlist="" # optionlist for ipf(8) -T ippool_enable="NO" # Set to YES to enable ip filter pools ippool_program="/sbin/ippool" # where the ippool program lives ippool_rules="/etc/ippool.tables" # rules definition file for ippool diff --git a/libexec/rc/rc.d/ipfilter b/libexec/rc/rc.d/ipfilter index 816db50540ff..de406f8e1740 100755 --- a/libexec/rc/rc.d/ipfilter +++ b/libexec/rc/rc.d/ipfilter @@ -30,7 +30,13 @@ required_modules="ipl:ipfilter" ipfilter_start() { echo "Enabling ipfilter." - if ! ${ipfilter_program:-/sbin/ipf} -V | grep -q 'Running: yes'; then + if [ -n "${ifilter_optionlist}" ]; then + if ${ipfilter_program:-/sbin/ipf} -V | grep -q 'Running: yes'; then + ${ipfilter_program:-/sbin/ipf} -D + fi + ${ipfilter_program:-/sbin/ipf} -T "${ipfilter_optionlist}" + ${ipfilter_program:-/sbin/ipf} -E + elif ! ${ipfilter_program:-/sbin/ipf} -V | grep -q 'Running: yes'; then ${ipfilter_program:-/sbin/ipf} -E fi ${ipfilter_program:-/sbin/ipf} -Fa