svn commit: r204325 - in stable/7: etc/defaults etc/rc.d share/man/man5

Thu Feb 25 18:02:52 UTC 2010

Author: emax
Date: Thu Feb 25 18:02:52 2010
New Revision: 204325
URL: http://svn.freebsd.org/changeset/base/204325

Log:
  MFC: r203676
  
  Introduce new rc.conf variable firewall_coscripts. It can be used to
  specify list of executables and/or rc scripts that should be executed
  after firewall starts/stops.
  
  Submitted by:	Yuri Kurenkov <y dot kurenkov at init dot ru>
  Reviewed by:	rhodes, rc@

Modified:
  stable/7/etc/defaults/rc.conf
  stable/7/etc/rc.d/ipfw
  stable/7/share/man/man5/rc.conf.5   (contents, props changed)
Directory Properties:
  stable/7/etc/   (props changed)
  stable/7/share/man/man5/   (props changed)

Modified: stable/7/etc/defaults/rc.conf
==============================================================================

--- stable/7/etc/defaults/rc.conf	Thu Feb 25 16:40:08 2010	(r204324)
+++ stable/7/etc/defaults/rc.conf	Thu Feb 25 18:02:52 2010	(r204325)
@@ -113,6 +113,8 @@ firewall_quiet="NO"		# Set to YES to sup
 firewall_logging="NO"		# Set to YES to enable events logging
 firewall_flags=""		# Flags passed to ipfw when type is a file
 firewall_client_net="192.0.2.0/24" # Network address for "client" firewall.
+firewall_coscripts=""		# List of executables/scripts to run after
+				# firewall starts/stops
 firewall_simple_iif="ed1"	# Inside network interface for "simple"
 				# firewall.
 firewall_simple_inet="192.0.2.16/28" # Inside network address for "simple"

Modified: stable/7/etc/rc.d/ipfw
==============================================================================
--- stable/7/etc/rc.d/ipfw	Thu Feb 25 16:40:08 2010	(r204324)
+++ stable/7/etc/rc.d/ipfw	Thu Feb 25 18:02:52 2010	(r204325)
@@ -15,6 +15,7 @@ name="ipfw"
 rcvar="firewall_enable"
 start_cmd="ipfw_start"
 start_precmd="ipfw_prestart"
+start_postcmd="ipfw_poststart"
 stop_cmd="ipfw_stop"
 required_modules="ipfw"
 
@@ -41,9 +42,6 @@ ipfw_start()
 	[ -z "${firewall_script}" ] && firewall_script=/etc/rc.firewall
 
 	if [ -r "${firewall_script}" ]; then
-		if [ -f /etc/rc.d/natd ] ; then
-			/etc/rc.d/natd start
-		fi
 		/bin/sh "${firewall_script}" "${_firewall_type}"
 		echo 'Firewall rules loaded.'
 	elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then
@@ -58,6 +56,19 @@ ipfw_start()
 		echo 'Firewall logging enabled.'
 		sysctl net.inet.ip.fw.verbose=1 >/dev/null
 	fi
+}
+
+ipfw_poststart()
+{
+	local	_coscript
+
+	# Start firewall coscripts
+	#
+	for _coscript in ${firewall_coscripts} ; do
+		if [ -f "${_coscript}" ]; then
+			${_coscript} quietstart
+		fi
+	done
 
 	# Enable the firewall
 	#
@@ -66,13 +77,22 @@ ipfw_start()
 
 ipfw_stop()
 {
+	local	_coscript
+
 	# Disable the firewall
 	#
 	${SYSCTL_W} net.inet.ip.fw.enable=0
-	if [ -f /etc/rc.d/natd ] ; then
-		/etc/rc.d/natd stop
-	fi
+
+	# Stop firewall coscripts
+	#
+	for _coscript in `reverse_list ${firewall_coscripts}` ; do
+		if [ -f "${_coscript}" ]; then
+			${_coscript} quietstop
+		fi
+	done
 }
 
 load_rc_config $name
+firewall_coscripts="/etc/rc.d/natd ${firewall_coscripts}"
+
 run_rc_command $*

Modified: stable/7/share/man/man5/rc.conf.5
==============================================================================
--- stable/7/share/man/man5/rc.conf.5	Thu Feb 25 16:40:08 2010	(r204324)
+++ stable/7/share/man/man5/rc.conf.5	Thu Feb 25 18:02:52 2010	(r204325)
@@ -501,6 +501,10 @@ specifies a filename.
 .Pq Vt str
 The IPv6 equivalent of
 .Va firewall_flags .
+.It Va firewall_coscripts
+.Pq Vt str
+List of executables and/or rc scripts to run after firewall starts/stops.
+Default is empty.
 .\" ----- firewall_nat_enable setting --------------------------------
 .It Va firewall_nat_enable
 .Pq Vt bool
