git: 6739198793e4 - stable/13 - ipfilter: Set ipf -T optionlist at boot

From: Cy Schubert <cy_at_FreeBSD.org>
Date: Tue, 19 Nov 2024 00:28:12 UTC
The branch stable/13 has been updated by cy:

URL: https://cgit.FreeBSD.org/src/commit/?id=6739198793e469f9f9c414ddad49b7c0e08eb03e

commit 6739198793e469f9f9c414ddad49b7c0e08eb03e
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2024-10-30 19:28:31 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2024-11-19 00:27:06 +0000

    ipfilter: Set ipf -T optionlist at boot
    
    There is no easy way to set ipfilter optionlist variables during boot.
    Add plumbing to the rc script to support this.
    
    PR:                     130555
    Reviewed by:            jlduran
    Differential Revision:  https://reviews.freebsd.org/D47346
    
    (cherry picked from commit 8d6feaaaa26f444abb209360e52b993e39cb81bb)
---
 libexec/rc/rc.conf       | 1 +
 libexec/rc/rc.d/ipfilter | 8 +++++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/libexec/rc/rc.conf b/libexec/rc/rc.conf
index 6c9a58ff72c1..5e70aa5cbc06 100644
--- a/libexec/rc/rc.conf
+++ b/libexec/rc/rc.conf
@@ -217,6 +217,7 @@ ipfilter_program="/sbin/ipf"	# where the ipfilter program lives
 ipfilter_rules="/etc/ipf.rules"	# rules definition file for ipfilter, see
 				# /usr/src/contrib/ipfilter/rules for examples
 ipfilter_flags=""		# additional flags for ipfilter
+ipfilter_optionlist=""		# optionlist for ipf(8) -T
 ippool_enable="NO"		# Set to YES to enable ip filter pools
 ippool_program="/sbin/ippool"	# where the ippool program lives
 ippool_rules="/etc/ippool.tables"	# rules definition file for ippool
diff --git a/libexec/rc/rc.d/ipfilter b/libexec/rc/rc.d/ipfilter
index 816db50540ff..de406f8e1740 100755
--- a/libexec/rc/rc.d/ipfilter
+++ b/libexec/rc/rc.d/ipfilter
@@ -30,7 +30,13 @@ required_modules="ipl:ipfilter"
 ipfilter_start()
 {
 	echo "Enabling ipfilter."
-	if ! ${ipfilter_program:-/sbin/ipf} -V | grep -q 'Running: yes'; then
+	if [ -n "${ifilter_optionlist}" ]; then
+		if ${ipfilter_program:-/sbin/ipf} -V | grep -q 'Running: yes'; then
+			${ipfilter_program:-/sbin/ipf} -D
+		fi
+		${ipfilter_program:-/sbin/ipf} -T "${ipfilter_optionlist}"
+		${ipfilter_program:-/sbin/ipf} -E
+	elif ! ${ipfilter_program:-/sbin/ipf} -V | grep -q 'Running: yes'; then
 		${ipfilter_program:-/sbin/ipf} -E
 	fi
 	${ipfilter_program:-/sbin/ipf} -Fa