Patch to have ipfw0 work properly in jails

[Rudy (bulk address)]

Never submitted a patch... is this good enough?

Problem: ipfw logs in a way that is confusing in jails (it logs to the
host syslogd)
Solution: use ipfw0 and make sure to fix up syslog and launch tcpdump if
firewall_logif is set in rc.conf

Thanks,
Rudy


--- /etc/rc.d/ipfw.orig 2019-02-11 23:19:09.074313000 -0800
+++ /etc/rc.d/ipfw      2019-02-11 23:17:37.675032000 -0800
@@ -65,8 +65,23 @@
                ${SYSCTL} net.inet.ip.fw.verbose=1 >/dev/null
        fi
        if checkyesno firewall_logif; then
-               ifconfig ipfw0 create
-               echo 'Firewall logging pseudo-interface (ipfw0) created.'
+    if ! ifconfig ipfw0 > /dev/null 2> /dev/null; then
+      ifconfig ipfw0 create
+                 echo 'Firewall logging pseudo-interface (ipfw0) created.'
+      # have tcpdump listen to ipfw and send info to logger
+      /usr/sbin/tcpdump -lnti ipfw0 2> /dev/null | /usr/bin/logger -t www
-p security.info &
+      echo "ipfw0 redirecting to syslog"
+    elif ! killall -0 tcpdump 2> /dev/null; then
+      # no tcpdump running... launch it!
+      /usr/sbin/tcpdump -lnti ipfw0 2> /dev/null | /usr/bin/logger -t www
-p security.info &
+      echo "ipfw0 redirecting to syslog"
+    fi
+    fwverbose=`sysctl -n net.inet.ip.fw.verbose`
+    if [ $fwverbose == 1 ]; then
+      # turn down for what ... I mean, turn off verbose so ipfw0 is used.
+      sysctl net.inet.ip.fw.verbose=0 > /dev/null
+      echo "verbose logging off and redirecting to ipfw0"
+    fi
        fi
 }