Index: stable/12/libexec/rc/rc.d/ipfilter =================================================================== --- stable/12/libexec/rc/rc.d/ipfilter (revision 364356) +++ stable/12/libexec/rc/rc.d/ipfilter (revision 364357) @@ -1,90 +1,91 @@ #!/bin/sh # # $FreeBSD$ # # PROVIDE: ipfilter # REQUIRE: FILESYSTEMS +# BEFORE: ipmon ipnat netif netwait securelevel # KEYWORD: nojailvnet . /etc/rc.subr name="ipfilter" desc="IP packet filter" rcvar="ipfilter_enable" load_rc_config $name stop_precmd="test -f ${ipfilter_rules} -o -f ${ipv6_ipfilter_rules}" start_precmd="$stop_precmd" start_cmd="ipfilter_start" stop_cmd="ipfilter_stop" reload_precmd="$stop_precmd" reload_cmd="ipfilter_reload" resync_precmd="$stop_precmd" resync_cmd="ipfilter_resync" status_precmd="$stop_precmd" status_cmd="ipfilter_status" extra_commands="reload resync" required_modules="ipl:ipfilter" ipfilter_start() { echo "Enabling ipfilter." if ! ${ipfilter_program:-/sbin/ipf} -V | grep -q 'Running: yes'; then ${ipfilter_program:-/sbin/ipf} -E fi ${ipfilter_program:-/sbin/ipf} -Fa if [ -r "${ipfilter_rules}" ]; then ${ipfilter_program:-/sbin/ipf} \ -f "${ipfilter_rules}" ${ipfilter_flags} fi if [ -r "${ipv6_ipfilter_rules}" ]; then ${ipfilter_program:-/sbin/ipf} -6 \ -f "${ipv6_ipfilter_rules}" ${ipfilter_flags} fi } ipfilter_stop() { if ${ipfilter_program:-/sbin/ipf} -V | grep -q 'Running: yes'; then echo "Saving firewall state tables" ${ipfs_program:-/sbin/ipfs} -W ${ipfs_flags} echo "Disabling ipfilter." ${ipfilter_program:-/sbin/ipf} -D fi } ipfilter_reload() { echo "Reloading ipfilter rules." ${ipfilter_program:-/sbin/ipf} -I -Fa if [ -r "${ipfilter_rules}" ]; then ${ipfilter_program:-/sbin/ipf} -I \ -f "${ipfilter_rules}" ${ipfilter_flags} if [ $? -ne 0 ]; then err 1 'Load of rules into alternate set failed; aborting reload' fi fi if [ -r "${ipv6_ipfilter_rules}" ]; then ${ipfilter_program:-/sbin/ipf} -I -6 \ -f "${ipv6_ipfilter_rules}" ${ipfilter_flags} if [ $? -ne 0 ]; then err 1 'Load of IPv6 rules into alternate set failed; aborting reload' fi fi ${ipfilter_program:-/sbin/ipf} -s } ipfilter_resync() { ${ipfilter_program:-/sbin/ipf} -y ${ipfilter_flags} } ipfilter_status() { ${ipfilter_program:-/sbin/ipf} -V } run_rc_command "$1" Index: stable/12/libexec/rc/rc.d/ipmon =================================================================== --- stable/12/libexec/rc/rc.d/ipmon (revision 364356) +++ stable/12/libexec/rc/rc.d/ipmon (revision 364357) @@ -1,34 +1,34 @@ #!/bin/sh # # $FreeBSD$ # # PROVIDE: ipmon -# REQUIRE: FILESYSTEMS hostname sysctl ipfilter +# REQUIRE: FILESYSTEMS hostname sysctl # BEFORE: SERVERS # KEYWORD: nojailvnet . /etc/rc.subr name="ipmon" desc="Monitors /dev/ipl for logged packets" rcvar="ipmon_enable" command="/sbin/${name}" start_precmd="ipmon_precmd" ipmon_precmd() { # Continue only if ipfilter or ipnat is enabled and the # ipfilter module is loaded. # if ! checkyesno ipfilter_enable && ! checkyesno ipnat_enable && ! checkyesno rc_force ; then err 1 "${name} requires either ipfilter or ipnat enabled" fi if ! ${ipfilter_program:-/sbin/ipf} -V | grep -q 'Running: yes' >/dev/null 2>&1; then err 1 "ipfilter module is not loaded" fi return 0 } load_rc_config $name run_rc_command "$1" Index: stable/12/libexec/rc/rc.d/ipnat =================================================================== --- stable/12/libexec/rc/rc.d/ipnat (revision 364356) +++ stable/12/libexec/rc/rc.d/ipnat (revision 364357) @@ -1,29 +1,28 @@ #!/bin/sh # # $FreeBSD$ # # PROVIDE: ipnat -# REQUIRE: ipfilter # KEYWORD: nojailvnet . /etc/rc.subr name="ipnat" desc="user interface to the NAT subsystem" rcvar="ipnat_enable" load_rc_config $name start_cmd="ipnat_start" stop_cmd="${ipnat_program} -F -C" reload_cmd="${ipnat_program} -F -C -f ${ipnat_rules}" extra_commands="reload" required_files="${ipnat_rules}" required_modules="ipl:ipfilter" ipnat_start() { echo "Installing NAT rules." ${ipnat_program} -CF -f ${ipnat_rules} ${ipnat_flags} } run_rc_command "$1" Index: stable/12/libexec/rc/rc.d/netif =================================================================== --- stable/12/libexec/rc/rc.d/netif (revision 364356) +++ stable/12/libexec/rc/rc.d/netif (revision 364357) @@ -1,272 +1,272 @@ #!/bin/sh # # Copyright (c) 2003 The FreeBSD Project. All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE PROJECT ``AS IS'' AND ANY EXPRESS OR # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES # OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. # IN NO EVENT SHALL THE PROJECT BE LIABLE FOR ANY DIRECT, INDIRECT, # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT # NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF # THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # $FreeBSD$ # # PROVIDE: netif # REQUIRE: FILESYSTEMS iovctl serial sppp sysctl -# REQUIRE: hostid ipfilter ipfs +# REQUIRE: hostid ipfs # KEYWORD: nojailvnet . /etc/rc.subr . /etc/network.subr name="netif" desc="Network interface setup" rcvar="${name}_enable" start_cmd="netif_start" stop_cmd="netif_stop" wlanup_cmd="wlan_up" wlandown_cmd="wlan_down" cloneup_cmd="clone_up" clonedown_cmd="clone_down" clear_cmd="doclear" vnetup_cmd="vnet_up" vnetdown_cmd="vnet_down" extra_commands="cloneup clonedown clear vnetup vnetdown" cmdifn= set_rcvar_obsolete ipv6_enable ipv6_activate_all_interfaces set_rcvar_obsolete ipv6_prefer netif_start() { local _if # Set the list of interfaces to work on. # cmdifn=$* if [ -z "$cmdifn" ]; then # # We're operating as a general network start routine. # # disable SIGINT (Ctrl-c) when running at startup trap : 2 fi # Create IEEE802.11 interface wlan_up $cmdifn # Create cloned interfaces clone_up $cmdifn # Rename interfaces. ifnet_rename $cmdifn # Configure the interface(s). netif_common ifn_start $cmdifn if [ -f /etc/rc.d/ipfilter ] ; then # Resync ipfilter /etc/rc.d/ipfilter quietresync fi if [ -f /etc/rc.d/bridge -a -n "$cmdifn" ] ; then /etc/rc.d/bridge start $cmdifn fi if [ -f /etc/rc.d/routing -a -n "$cmdifn" ] ; then for _if in $cmdifn; do /etc/rc.d/routing static any $_if done fi } netif_stop() { _clone_down=1 _wlan_down=1 netif_stop0 $* } doclear() { _clone_down= _wlan_down= netif_stop0 $* } netif_stop0() { local _if # Set the list of interfaces to work on. # cmdifn=$* # Deconfigure the interface(s) netif_common ifn_stop $cmdifn # Destroy wlan interfaces if [ -n "$_wlan_down" ]; then wlan_down $cmdifn fi # Destroy cloned interfaces if [ -n "$_clone_down" ]; then clone_down $cmdifn fi if [ -f /etc/rc.d/routing -a -n "$cmdifn" ] ; then for _if in $cmdifn; do /etc/rc.d/routing stop any $_if done fi } vnet_up() { cmdifn=$* netif_common ifn_vnetup $cmdifn } vnet_down() { cmdifn=$* netif_common ifn_vnetdown $cmdifn } # netif_common routine # Common configuration subroutine for network interfaces. This # routine takes all the preparatory steps needed for configuriing # an interface and then calls $routine. netif_common() { local _cooked_list _tmp_list _fail _func _ok _str _cmdifn _func= if [ -z "$1" ]; then err 1 "netif_common(): No function name specified." else _func="$1" shift fi # Set the scope of the command (all interfaces or just one). # _cooked_list= _tmp_list= _cmdifn=$* if [ -n "$_cmdifn" ]; then # Don't check that the interface(s) exist. We need to run # the down code even when the interface doesn't exist to # kill off wpa_supplicant. # XXXBED: is this really true or does wpa_supplicant die? # if so, we should get rid of the devd entry _cooked_list="$_cmdifn" else _cooked_list="`list_net_interfaces`" fi # Expand epair[0-9] to epair[0-9][ab]. for ifn in $_cooked_list; do case ${ifn#epair} in [0-9]*[ab]) ;; # Skip epair[0-9]*[ab]. [0-9]*) for _str in $_cooked_list; do case $_str in $ifn) _tmp_list="$_tmp_list ${ifn}a ${ifn}b" ;; *) _tmp_list="$_tmp_list ${ifn}" ;; esac done _cooked_list=${_tmp_list# } ;; esac done _dadwait= _fail= _ok= for ifn in ${_cooked_list# }; do # Skip if ifn does not exist. case $_func in ifn_stop) if ! ${IFCONFIG_CMD} $ifn > /dev/null 2>&1; then warn "$ifn does not exist. Skipped." _fail="${_fail} ${ifn}" continue fi ;; esac if ${_func} ${ifn} $2; then _ok="${_ok} ${ifn}" if ipv6if ${ifn}; then _dadwait=1 fi else _fail="${_fail} ${ifn}" fi done # inet6 address configuration needs sleep for DAD. case ${_func}:${_dadwait} in ifn_start:1|ifn_vnetup:1|ifn_vnetdown:1) sleep `${SYSCTL_N} net.inet6.ip6.dad_count` sleep 1 ;; esac _str= if [ -n "${_ok}" ]; then case ${_func} in ifn_start) _str='Starting' ;; ifn_stop) _str='Stopping' ;; ifn_vnetup) _str='Moving' ;; ifn_vnetdown) _str='Reclaiming' ;; esac echo "${_str} Network:${_ok}." case ${_func} in ifn_vnetup) # Clear _ok not to do "ifconfig $ifn" # because $ifn is no longer in the current vnet. _ok= ;; esac if check_startmsgs; then for ifn in ${_ok}; do /sbin/ifconfig ${ifn} done fi fi debug "The following interfaces were not configured: $_fail" } # Load the old "network" config file also for compatibility. # This is needed for mfsBSD at least. load_rc_config network load_rc_config $name run_rc_command $* Index: stable/12/libexec/rc/rc.d/netwait =================================================================== --- stable/12/libexec/rc/rc.d/netwait (revision 364356) +++ stable/12/libexec/rc/rc.d/netwait (revision 364357) @@ -1,116 +1,116 @@ #!/bin/sh # $FreeBSD$ # # PROVIDE: netwait -# REQUIRE: devd ipfilter ipfw pf routing +# REQUIRE: devd ipfw pf routing # KEYWORD: nojail # # The netwait script helps handle two situations: # - Systems with USB or other late-attaching network hardware which # is initialized by devd events. The script waits for all the # interfaces named in the netwait_if list to appear. # - Systems with statically-configured IP addresses in rc.conf(5). # The IP addresses in the netwait_ip list are pinged. The script # waits for any single IP in the list to respond to the ping. If your # system uses DHCP, you should probably use synchronous_dhclient="YES" # in your /etc/rc.conf instead of netwait_ip. # Either or both of the wait lists can be used (at least one must be # non-empty if netwait is enabled). . /etc/rc.subr name="netwait" desc="Wait for network devices or the network being up" rcvar="netwait_enable" start_cmd="${name}_start" stop_cmd=":" netwait_start() { local ip rc count output link wait_if got_if any_error if [ -z "${netwait_if}" ] && [ -z "${netwait_ip}" ]; then err 1 "No interface or IP addresses listed, nothing to wait for" fi if [ ${netwait_timeout} -lt 1 ]; then err 1 "netwait_timeout must be >= 1" fi if [ -n "${netwait_if}" ]; then any_error=0 for wait_if in ${netwait_if}; do echo -n "Waiting for ${wait_if}" link="" got_if=0 count=1 # Handle SIGINT (Ctrl-C); force abort of while() loop trap break SIGINT while [ ${count} -le ${netwait_if_timeout} ]; do if output=`/sbin/ifconfig ${wait_if} 2>/dev/null`; then if [ ${got_if} -eq 0 ]; then echo -n ", interface present" got_if=1 fi link=`expr "${output}" : '.*[[:blank:]]status: \(no carrier\)'` if [ -z "${link}" ]; then echo ', got link.' break fi fi sleep 1 count=$((count+1)) done # Restore default SIGINT handler trap - SIGINT if [ ${got_if} -eq 0 ]; then echo ", wait failed: interface never appeared." any_error=1 elif [ -n "${link}" ]; then echo ", wait failed: interface still has no link." any_error=1 fi done if [ ${any_error} -eq 1 ]; then warn "Continuing with startup, but be aware you may not have " warn "a fully functional networking layer at this point." fi fi if [ -n "${netwait_ip}" ]; then # Handle SIGINT (Ctrl-C); force abort of for() loop trap break SIGINT for ip in ${netwait_ip}; do echo -n "Waiting for ${ip} to respond to ICMP ping" count=1 while [ ${count} -le ${netwait_timeout} ]; do /sbin/ping -t 1 -c 1 -o ${ip} >/dev/null 2>&1 rc=$? if [ $rc -eq 0 ]; then # Restore default SIGINT handler trap - SIGINT echo ', got response.' return fi count=$((count+1)) done echo ', failed: No response from host.' done # Restore default SIGINT handler trap - SIGINT warn "Exhausted IP list. Continuing with startup, but be aware you may" warn "not have a fully functional networking layer at this point." fi } load_rc_config $name run_rc_command "$1" Index: stable/12/libexec/rc/rc.d/securelevel =================================================================== --- stable/12/libexec/rc/rc.d/securelevel (revision 364356) +++ stable/12/libexec/rc/rc.d/securelevel (revision 364357) @@ -1,30 +1,30 @@ #!/bin/sh # # $FreeBSD$ # # PROVIDE: securelevel -# REQUIRE: adjkerntz ipfw ipfilter pf +# REQUIRE: adjkerntz ipfw pf . /etc/rc.subr name="securelevel" desc="Securelevel configuration" rcvar='kern_securelevel_enable' start_cmd="securelevel_start" stop_cmd=":" # Last chance to set sysctl variables that failed the first time. # /etc/rc.d/sysctl lastload securelevel_start() { if [ ${kern_securelevel} -ge 0 ]; then echo 'Raising kernel security level: ' ${SYSCTL} kern.securelevel=${kern_securelevel} fi } load_rc_config $name run_rc_command "$1" Index: stable/12 =================================================================== --- stable/12 (revision 364356) +++ stable/12 (revision 364357) Property changes on: stable/12 ___________________________________________________________________ Modified: svn:mergeinfo ## -0,0 +0,1 ## Merged /head:r364133