| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
This keeps most startup scripts as CONFS per discussion on src-committers from
back during BSDCan.
Approved by: will (mentor)
Differential Revision: https://reviews.freebsd.org/D16466
Notes:
svn path=/head/; revision=336845
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the pf rc.d script the output of `/etc/rc.d/pf status` or `/etc/rc.d/pf
onestatus` always provided an exit status of zero. This made it fiddly to
programmatically determine if pf was running or not.
Return a non-zero status if the pf module is not loaded, extend pfctl to have
an option to return an error status if pf is not enabled.
PR: 228632
Submitted by: James Park-Watt <jimmypw AT gmail.com>
MFC after: 1 week
Notes:
svn path=/head/; revision=334726
|
| |
|
|
|
|
|
|
|
|
| |
The reload and resync commands for the startup script do exactly the same
thing, so implement one as a call to the other.
MFC after: 3 weeks
Notes:
svn path=/head/; revision=331546
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When checking the validity of the pf.conf file also include the user supplied
pf_flags. These flags might overrule macros or specify anchors, which we will
apply when actually applying the pf.conf file, so we must also take them into
account when verifying the validity.
Submitted by: Andreas Longwitz <longwitz at incore.de>
MFC after: 3 weeks
Notes:
svn path=/head/; revision=330108
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
pfctl only takes the last '-F' argument into account, so this never did what
was intended.
Moreover, there is no reason to flush rules before reloading, because pf keeps
track of the rule which created a given state. That means that existing
connections will keep being processed according to the rule which originally
created them. Simply reloading the (new) rules suffices. The new rules will
apply to new connections.
PR: 127814
Submitted by: Andreas Longwitz <longwitz at incore.de>
MFC after: 3 weeks
Notes:
svn path=/head/; revision=330105
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After some tests, here are the services that run into a vnet jail:
- defaultroute
- dhclient
- ip6addrctl
- natd
- pf
- pfsync
- pflog (deamon runs, pflog0 interface usable, but /var/log/pflog not filled)
- rarpd
- route6d (do nothing anyway because obsolete)
- routed (do nothing anyway because obsolete)
- rtsold
- static_arp
- static_ndp
PR: 220530
Submitted by: olivier@freebsd.org
Notes:
svn path=/head/; revision=320802
|
| |
|
|
|
|
|
|
|
|
|
| |
daemon's manpage and probably improved.
- Consistently use "filesystem" not "file system".
Approved by: bapt, brueffer
Differential Revision: D452
Notes:
svn path=/head/; revision=298514
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Check if pf.ko is loaded (i.e. /dev/pf exists) before trying to use it. This
means that '/etc/rc.d/pf status' will no longer return 'pfctl: /dev/pf: No such
file or directory' but 'pf.ko is not loaded'.
PR: 205671
Submitted by: Johannes Jost Meixner <xmj@FreeBSD.org>
Notes:
svn path=/head/; revision=297315
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
assignments to the literal values it would have returned.
The concept of set_rcvar() was nice in theory, but the forks
it creates are a drag on the startup process, which is especially
noticeable on slower systems, such as embedded ones.
During the discussion on freebsd-rc@ a preference was expressed for
using ${name}_enable instead of the literal values. However the
code portability concept doesn't really apply since there are so
many other places where the literal name has to be searched for
and replaced. Also, using the literal value is also a tiny bit
faster than dereferencing the variables, and every little bit helps.
Notes:
svn path=/head/; revision=230099
|
| |
|
|
|
|
|
| |
Submitted by: wxs
Notes:
svn path=/head/; revision=222007
|
| |
|
|
| |
Notes:
svn path=/head/; revision=216499
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
employ a more generic solution, and use it in the individual rc.d scripts
that also have an $rc_quiet test:
1. Add check_startmsgs() to rc.subr.
2. In the rc.d scripts that use rc_quiet (and rc.subr) substitute
variations of [ -z "$rc_quiet" ] with check_startmsgs
3. In savecore add a trailing '.' to the end of the message to make it
more consistent with other scripts.
4. In newsyslog remove a : before the terminal '.' since we do not expect
there to be anything printed out in between to make it more consistent.
5. In the following scripts change "quotes" to 'quotes' where no variables
exist in the message: savecore pf newsyslog
6. In the following scripts substitute if/then/fi for the simpler (and
more consistent) check_startmsgs &&: faith stf
7. In the following scripts separate the "Starting foo:" from the terminal
'.' to make them more consistent: moused hostname pf
8. In nfsclient move the message to its own line to avoid a style bug
9. In pf rc_quiet does not apply to the _stop method, so remove the
test there.
10. In motd add 'quotes' around the terminal '.' for consistency
Notes:
svn path=/head/; revision=197947
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
allow them to start after netif. There were too many problems reported
with this change in the short period of time that it lived in HEAD, and
we are too late in the release cycle to properly shake it out.
IMO the issue of having the firewalls up before the network is still a
valid concern, particularly for pf whose default state is wide open.
However properly solving this issue is going to take some investment
on the part of the people who actually use those tools.
This is not a strict reversion of all the changes for r193198 since it
also included some simplification of the BEFORE/REQUIRE logic which is
still valid for ipfilter and ip6fw.
Notes:
svn path=/head/; revision=195026
|
| |
|
|
|
|
|
|
| |
already does. This eliminates a logical inconsistency, and a small
window where the system is open after the network comes up.
Notes:
svn path=/head/; revision=193198
|
| |
|
|
| |
Notes:
svn path=/head/; revision=180563
|
| |
|
|
|
|
|
| |
information in quiet mode.
Notes:
svn path=/head/; revision=180440
|
| |
|
|
| |
Notes:
svn path=/head/; revision=168531
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
and takes over mountcritlocal's role as the early / late divider. This
makes it far easier to add rc scripts which need to run early, such as a
startup script for zfs, which is right around the corner.
This change should be a no-op; I have verified that the only change in
rcorder's output is the insertion of FILESYSTEMS immediately after
mountcritlocal.
MFC after: 3 weeks
Notes:
svn path=/head/; revision=168283
|
| |
|
|
|
|
|
| |
cases. So we get rid of quite a few lines of duplicated code.
Notes:
svn path=/head/; revision=165683
|
| |
|
|
| |
Notes:
svn path=/head/; revision=159243
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
> > There is no need to explicitly add "status" to $extra_commands in
> > the /etc/rc.d/pf script as it is implicitly added by /etc/rc.subr's
> > run_rc_command() because of the existing $pf_program.
> >
> > Submitted by: Christoph Schug <chris@schug.net>
...because as yar@ points out: "[...] you were relying on evil
side-effects of the variable being named *_program. hose side-effect
have been eliminated since rc.subr rev. 1.42. [...] The point is that
the default "status" method is for rc.d scripts that handle startup and
shutdown of conventional daemons, and not for custom tasks like the pf
case."
The change is still valid in RELENG_6 (and still doesn't have to be
backed out) as long as rc.subr:r1.42 is not MFC'ed to RELENG_6, too.
Notes:
svn path=/head/; revision=152271
|
| |
|
|
|
|
|
|
|
|
|
| |
the /etc/rc.d/pf script as it is implicitly added by /etc/rc.subr's
run_rc_command() because of the existing $pf_program.
Submitted by: Christoph Schug <chris@schug.net>
MFC after: 1 week
Notes:
svn path=/head/; revision=152016
|
| |
|
|
|
|
|
|
| |
Reduce code duplication.
Follow the current style of rc.d scripting.
Notes:
svn path=/head/; revision=150839
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Start before routing for better system protection.
(pf used to start late during system boot, after
many a network daemon have started already, which
sucked from security POV.)
Remark: For maximum security, pf should start before
netif, but it would create a dependency loop because
pfsync has to start after netif, yet before pf.
Discussed with: mlaier on -pf
MFC after: 5 days
Notes:
svn path=/head/; revision=150836
|
| |
|
|
|
|
|
| |
No objections from: mlaier
Notes:
svn path=/head/; revision=150516
|
| |
|
|
|
|
|
|
|
|
|
|
| |
entries that way when rules are read in, it doesn't break established
connections.
Approved by: mlaier
Reviewed by: rc
MFC after: 3 weeks
Notes:
svn path=/head/; revision=144638
|
| |
|
|
|
|
|
|
|
| |
- Before flushing rules in 'reload' command, check first if rules are
correct.
- Do not duplicate checking if $pf_rules file exists.
Notes:
svn path=/head/; revision=136942
|
| |
|
|
|
|
|
|
|
|
| |
makes any sense.
Discussed with: dougb, brooks
MFC after: 3 days
Notes:
svn path=/head/; revision=136224
|
| |
|
|
|
|
|
|
|
| |
dependency to it from our rc.d scripts.
Approved by: mtm
Notes:
svn path=/head/; revision=135306
|
| |
|
|
|
|
|
| |
startup. Moreover, this is the "more logic" order.
Notes:
svn path=/head/; revision=130954
|
| |
|
|
|
|
|
|
|
|
| |
rc.conf(5) and put a sample entry to newsyslog.conf
Reviewed by: -current
Approved by: bms(mentor)
Notes:
svn path=/head/; revision=127759
|
|
|
Update defaults and write some lines for rc.conf(5) also.
Mostly dup'ed from ipf
Reviewed by: -current
Approved by: bms(mentor)
Notes:
svn path=/head/; revision=127342
|
