ipfilter: Set ipf -T optionlist at boot

There is no easy way to set ipfilter optionlist variables during boot.
Add plumbing to the rc script to support this.

PR:			130555
Reviewed by:		jlduran
MFC			1 week
Differential Revision:	https://reviews.freebsd.org/D47346

2 files changed, 8 insertions, 1 deletions

diff --git a/libexec/rc/rc.conf b/libexec/rc/rc.conf
index 8f585bc02856..a21c587dcc07 100644
--- a/libexec/rc/rc.conf
+++ b/libexec/rc/rc.conf
@@ -214,6 +214,7 @@ ipfilter_program="/sbin/ipf"	# where the ipfilter program lives
 ipfilter_rules="/etc/ipf.rules"	# rules definition file for ipfilter, see
 				# /usr/src/contrib/ipfilter/rules for examples
 ipfilter_flags=""		# additional flags for ipfilter
+ipfilter_optionlist=""		# optionlist for ipf(8) -T
 ippool_enable="NO"		# Set to YES to enable ip filter pools
 ippool_program="/sbin/ippool"	# where the ippool program lives
 ippool_rules="/etc/ippool.tables"	# rules definition file for ippool
diff --git a/libexec/rc/rc.d/ipfilter b/libexec/rc/rc.d/ipfilter
index d0cb09ab527c..9b64fcff0c7a 100755
--- a/libexec/rc/rc.d/ipfilter
+++ b/libexec/rc/rc.d/ipfilter
@@ -33,7 +33,13 @@ required_modules="ipl:ipfilter"
 ipfilter_start()
 {
 	echo "Enabling ipfilter."
-	if ! ${ipfilter_program:-/sbin/ipf} -V | grep -q 'Running: yes'; then
+	if [ -n "${ifilter_optionlist}" ]; then
+		if ${ipfilter_program:-/sbin/ipf} -V | grep -q 'Running: yes'; then
+			${ipfilter_program:-/sbin/ipf} -D
+		fi
+		${ipfilter_program:-/sbin/ipf} -T "${ipfilter_optionlist}"
+		${ipfilter_program:-/sbin/ipf} -E
+	elif ! ${ipfilter_program:-/sbin/ipf} -V | grep -q 'Running: yes'; then
 		${ipfilter_program:-/sbin/ipf} -E
 	fi
 	${ipfilter_program:-/sbin/ipf} -Fa