1#!/sbin/sh 2# 3# ident "%Z%%M% %I% %E% SMI" 4# 5# Copyright 2005 Sun Microsystems, Inc. All rights reserved. 6# Use is subject to license terms. 7# 8 9. /lib/svc/share/smf_include.sh 10 11PATH=${PATH}:/usr/sbin:/usr/lib/ipf 12PIDFILE=/etc/ipf/ipmon.pid 13IPFILCONF=/etc/ipf/ipf.conf 14IP6FILCONF=/etc/ipf/ipf6.conf 15IPNATCONF=/etc/ipf/ipnat.conf 16IPPOOLCONF=/etc/ipf/ippool.conf 17PFILCHECKED=no 18 19id=`/usr/sbin/modinfo 2>&1 | awk '/ipf/ { print $1 } ' - 2>/dev/null` 20if [ -f $PIDFILE ] ; then 21 pid=`cat $PIDFILE 2>/dev/null` 22else 23 pid=`pgrep ipmon` 24fi 25pfildpid=`pgrep pfild` 26 27logmsg() 28{ 29 logger -p daemon.warning -t ipfilter "$1" 30 echo "$1" >&2 31} 32 33checkpfil() 34{ 35 if [ $PFILCHECKED = yes ] ; then 36 return 37 fi 38 /usr/sbin/ndd /dev/pfil \? 2>&1 > /dev/null 39 if [ $? -ne 0 ] ; then 40 logmsg "pfil not available to support ipfilter" 41 exit $SMF_EXIT_ERR_CONFIG 42 fi 43 realnic=`/sbin/ifconfig -a modlist 2>/dev/null | grep -c pfil` 44 if [ $realnic -eq 0 ] ; then 45 logmsg "pfil not plumbed on any network interfaces." 46 logmsg "No network traffic will be filtered." 47 logmsg "See ipfilter(5) for more information." 48 exit $SMF_EXIT_ERR_CONFIG 49 fi 50 PFILCHECKED=yes 51} 52 53 54load_ipf() { 55 bad=0 56 if [ -r ${IPFILCONF} ]; then 57 checkpfil 58 ipf -IFa -f ${IPFILCONF} >/dev/null 59 if [ $? != 0 ]; then 60 echo "$0: load of ${IPFILCONF} into alternate set failed" 61 bad=1 62 fi 63 fi 64 if [ -r ${IP6FILCONF} ]; then 65 checkpfil 66 ipf -6IFa -f ${IP6FILCONF} >/dev/null 67 if [ $? != 0 ]; then 68 echo "$0: load of ${IPFILCONF} into alternate set failed" 69 bad=1 70 fi 71 fi 72 if [ $bad -eq 0 ] ; then 73 ipf -s -y >/dev/null 74 return 0 75 else 76 echo "Not switching config due to load error." 77 return 1 78 fi 79} 80 81 82load_ipnat() { 83 if [ -r ${IPNATCONF} ]; then 84 checkpfil 85 ipnat -CF -f ${IPNATCONF} >/dev/null 86 if [ $? != 0 ]; then 87 echo "$0: load of ${IPNATCONF} failed" 88 return 1 89 else 90 ipf -y >/dev/null 91 return 0 92 fi 93 else 94 return 0 95 fi 96} 97 98 99load_ippool() { 100 if [ -r ${IPPOOLCONF} ]; then 101 checkpfil 102 ippool -F >/dev/null 103 ippool -f ${IPPOOLCONF} >/dev/null 104 if [ $? != 0 ]; then 105 echo "$0: load of ${IPPOOLCONF} failed" 106 return 1 107 else 108 return 0 109 fi 110 else 111 return 0 112 fi 113} 114 115 116case "$1" in 117 start) 118 [ ! -f ${IPFILCONF} ] && exit 0 119 [ -n "$pfildpid" ] && kill -TERM $pfildpid 2>/dev/null 120 [ -n "$pid" ] && kill -TERM $pid 2>/dev/null 121 /usr/sbin/pfild >/dev/null 122 if load_ippool && load_ipf && load_ipnat ; then 123 /usr/sbin/ipmon -Ds 124 else 125 exit $SMF_EXIT_ERR_CONFIG 126 fi 127 ;; 128 129 stop) 130 [ -n "$pfildpid" ] && kill -TERM $pfildpid 131 [ -n "$pid" ] && kill -TERM $pid 132 ;; 133 134 pause) 135 ipfs -l 136 ipfs -NS -w 137 ipf -D 138 if [ -f $PIDFILE ] ; then 139 if kill -0 $pid; then 140 kill -TERM $pid 141 else 142 cp /dev/null $PIDFILE 143 fi 144 fi 145 ;; 146 147 resume) 148 ipf -E 149 ipfs -R 150 load_ippool 151 load_ipf 152 load_ipnat 153 if [ -f $PIDFILE -a -n "$pid" ] ; then 154 /usr/sbin/ipmon -Ds 155 fi 156 ;; 157 158 reload) 159 load_ippool 160 load_ipf 161 load_ipnat 162 ;; 163 164 reipf) 165 load_ipf 166 ;; 167 168 reipnat) 169 load_ipnat 170 ;; 171 172 *) 173 echo "Usage: $0 \c" >&2 174 echo "(start|stop|reload|reipf|reipnat|pause|resume)" >&2 175 exit 1 176 ;; 177 178esac 179exit $SMF_EXIT_OK 180