From nobody Fri Nov 01 18:08:40 2024 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Xg84S4ng8z5cCyy; Fri, 01 Nov 2024 18:08:40 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Xg84S4Dz3z4GfK; Fri, 1 Nov 2024 18:08:40 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1730484520; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=vIIVKScCL6UFrOl/aBfC5//37k5zcMzY2NzFVbRW00g=; b=dQ78rnVBvSU9poz0Q9X4eLMkF/eqou9pgzoFruQVYRaiJBei+BuR91mAwGqwGer2j3gwX8 ofG5uI/kW/9I4+ngkAjCVoF8T6s7W54M4IBiATEEB/xkm97PPefF2nAf3hBS4Me5L9qjjU sszRb5zd9z4VVQ2bT56rePdT+gihJft4CB/v16Qz3tlO/sStZwWzMq8GwKGX6z5k5s4+iN 1gYQZv3fTNNbFKqS74jkTyHTJ8zOuYRgCIuRve6WZ9JJadvXHDlp6poWOwwMTNAnLXPQ9s CQe19kty1BhjXYnOwVouizOTrK8mf+jcp2RVdCqxYCSPk6PvNuVl2UF3qNUlKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1730484520; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=vIIVKScCL6UFrOl/aBfC5//37k5zcMzY2NzFVbRW00g=; b=e8TpgmIm6c/2ZWzPXPu+Ak8dZHW4ykfYnk0hmsRDngxJ5pFynm1Wd58vNRmdo74xYLKRSP 90sFrLt+eONygezxbknXNF9IcmjFuS+151UNp/CwJqYtw2JP7lUfcyBMQrNzK5ITlwg5bp bRLC4FHefh7gSXvj/nRa9uC6iHSTwWJ7oo091oLV1BZDjyMxIBZ4oKmofvPr52ZyCgUX2h b3VegMSaa8+qhvprdFYO10Yv4p71osmOwwseBNlFJ72ALUfuZQk1g+k3J9prJdUf/BvePa aYP4UxbQRpsW5ez0pM21fINQtwEKDcyS/voDDmS59s1Q2UowDjli0KLC765ZGg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1730484520; a=rsa-sha256; cv=none; b=MHa7eO/Z6f4TZ4VbsZO3fheQPkYiUdWZZB0x6kgwBZr1zbJaZ6iJ1/ne02b6php0TRyAv5 xMomzVtzbgPDbfYsx79HYHgL36acPCOL9bWWXHMelnD0driE2XEsJq1uHd7imisRjaeTSb OpNr8Bnrvg3k4MTLsMTlYB8s5yxtdMmUK2tEmDLG4Dbtj0kxBB2KKaMcd6iBezyF7Kluxw 8A6yBZ5eQvQBKL5Y/ddCz8NbvhWVV84V0EL1jcYUJcRAnwvGhxgdjCbA3i0xphjCPoLC1y y/tOf89N0YUySMoetl4cmaP6Gmf/TkG/u14jd//EkXQzP5w6BXQjvRZLtsRseg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Xg84S3gDdzWhm; Fri, 1 Nov 2024 18:08:40 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 4A1I8eq2092850; Fri, 1 Nov 2024 18:08:40 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 4A1I8euY092847; Fri, 1 Nov 2024 18:08:40 GMT (envelope-from git) Date: Fri, 1 Nov 2024 18:08:40 GMT Message-Id: <202411011808.4A1I8euY092847@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Cy Schubert Subject: git: 8d6feaaaa26f - main - ipfilter: Set ipf -T optionlist at boot List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: cy X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 8d6feaaaa26f444abb209360e52b993e39cb81bb Auto-Submitted: auto-generated The branch main has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=8d6feaaaa26f444abb209360e52b993e39cb81bb commit 8d6feaaaa26f444abb209360e52b993e39cb81bb Author: Cy Schubert AuthorDate: 2024-10-30 19:28:31 +0000 Commit: Cy Schubert CommitDate: 2024-11-01 18:08:14 +0000 ipfilter: Set ipf -T optionlist at boot There is no easy way to set ipfilter optionlist variables during boot. Add plumbing to the rc script to support this. PR: 130555 Reviewed by: jlduran MFC 1 week Differential Revision: https://reviews.freebsd.org/D47346 --- libexec/rc/rc.conf | 1 + libexec/rc/rc.d/ipfilter | 8 +++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/libexec/rc/rc.conf b/libexec/rc/rc.conf index 8f585bc02856..a21c587dcc07 100644 --- a/libexec/rc/rc.conf +++ b/libexec/rc/rc.conf @@ -214,6 +214,7 @@ ipfilter_program="/sbin/ipf" # where the ipfilter program lives ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see # /usr/src/contrib/ipfilter/rules for examples ipfilter_flags="" # additional flags for ipfilter +ipfilter_optionlist="" # optionlist for ipf(8) -T ippool_enable="NO" # Set to YES to enable ip filter pools ippool_program="/sbin/ippool" # where the ippool program lives ippool_rules="/etc/ippool.tables" # rules definition file for ippool diff --git a/libexec/rc/rc.d/ipfilter b/libexec/rc/rc.d/ipfilter index d0cb09ab527c..9b64fcff0c7a 100755 --- a/libexec/rc/rc.d/ipfilter +++ b/libexec/rc/rc.d/ipfilter @@ -33,7 +33,13 @@ required_modules="ipl:ipfilter" ipfilter_start() { echo "Enabling ipfilter." - if ! ${ipfilter_program:-/sbin/ipf} -V | grep -q 'Running: yes'; then + if [ -n "${ifilter_optionlist}" ]; then + if ${ipfilter_program:-/sbin/ipf} -V | grep -q 'Running: yes'; then + ${ipfilter_program:-/sbin/ipf} -D + fi + ${ipfilter_program:-/sbin/ipf} -T "${ipfilter_optionlist}" + ${ipfilter_program:-/sbin/ipf} -E + elif ! ${ipfilter_program:-/sbin/ipf} -V | grep -q 'Running: yes'; then ${ipfilter_program:-/sbin/ipf} -E fi ${ipfilter_program:-/sbin/ipf} -Fa