xref: /freebsd/libexec/rc/rc.d/pf (revision f99f0ee14e3af81c23150a6a340259ca8a33d01a)

#!/bin/sh
#
#

# PROVIDE: pf
# REQUIRE: FILESYSTEMS netif pflog pfsync routing
# KEYWORD: nojailvnet

. /etc/rc.subr

name="pf"
desc="Packet filter"
rcvar="pf_enable"
load_rc_config $name
start_cmd="pf_start"
stop_cmd="pf_stop"
check_cmd="pf_check"
reload_cmd="pf_reload"
resync_cmd="pf_resync"
status_cmd="pf_status"
extra_commands="check reload resync"
required_files="$pf_rules"
required_modules="pf"

# doesn't make sense to run in a svcj: config setting
pf_svcj="NO"

pf_fallback()
{
	warn "Unable to load $pf_rules."

	if ! checkyesno pf_fallback_rules_enable; then
		return
	fi

	if [ -f $pf_fallback_rules_file ]; then
		warn "Loading fallback rules file: $pf_fallback_rules_file"
		$pf_program -f "$pf_fallback_rules_file" $pf_flags
	else
		warn "Loading fallback rules: $pf_fallback_rules"
		echo $pf_fallback_rules | $pf_program -f - $pf_flags
	fi
}

pf_start()
{
	startmsg -n 'Enabling pf'
	$pf_program -F all > /dev/null 2>&1
	$pf_program -f "$pf_rules" $pf_flags || pf_fallback
	if ! $pf_program -s info | grep -q "Enabled" ; then
		$pf_program -eq
	fi
	startmsg '.'
}

pf_stop()
{
	if $pf_program -s info | grep -q "Enabled" ; then
		echo -n 'Disabling pf'
		$pf_program -dq
		echo '.'
	fi
}

pf_check()
{
	echo "Checking pf rules."
	$pf_program -n -f "$pf_rules" $pf_flags
}

pf_reload()
{
	echo "Reloading pf rules."
	pf_resync
}

pf_resync()
{
	$pf_program -n -f "$pf_rules" $pf_flags || return 1
	$pf_program -f "$pf_rules" $pf_flags
}

pf_status()
{
	if ! [ -c /dev/pf ] ; then
		echo "pf.ko is not loaded"
		return 1
	else
		$pf_program -s info
		$pf_program -s Running >/dev/null
	fi
}

run_rc_command "$1"