HardenedBSD/etc/rc.d/ipmon

#!/bin/sh
#
# $FreeBSD$
#

# PROVIDE: ipmon
# REQUIRE: FILESYSTEMS hostname sysctl ipfilter
# BEFORE:  SERVERS
# KEYWORD: nojail

. /etc/rc.subr

name="ipmon"
desc="Monitors /dev/ipl for logged packets"
rcvar="ipmon_enable"
command="/sbin/${name}"
start_precmd="ipmon_precmd"

ipmon_precmd()
{
	# Continue only if ipfilter or ipnat is enabled and the
	# ipfilter module is loaded.
	#
	if ! checkyesno ipfilter_enable && ! checkyesno ipnat_enable ; then
		err 1  "${name} requires either ipfilter or ipnat enabled"
	fi
	if ! ${ipfilter_program:-/sbin/ipf} -V | grep -q 'Running: yes' >/dev/null 2>&1; then
		err 1 "ipfilter module is not loaded"
	fi
	return 0
}

load_rc_config $name
run_rc_command "$1"
Import the NetBSD 1.5 RC system. Note that `rc' and `rc.shutdown' could not be imported because we already have files with those names. 2001-06-16 09:16:14 +02:00			`#!/bin/sh`
			`#`
Merge in all the changes that Mike Makonnen has been maintaining for a while. This is only the script pieces, the glue for the build comes next. Submitted by: Mike Makonnen <makonnen@pacbell.net> Reviewed by: silence on -current and -hackers Prodded by: rwatson 2002-06-14 00:14:37 +02:00			`# $FreeBSD$`
Import the NetBSD 1.5 RC system. Note that `rc' and `rc.shutdown' could not be imported because we already have files with those names. 2001-06-16 09:16:14 +02:00			`#`

			`# PROVIDE: ipmon`
Remove duplicate FILESYSTEMS REQUIRE 2014-11-30 11:01:47 +01:00			`# REQUIRE: FILESYSTEMS hostname sysctl ipfilter`
Merge in all the changes that Mike Makonnen has been maintaining for a while. This is only the script pieces, the glue for the build comes next. Submitted by: Mike Makonnen <makonnen@pacbell.net> Reviewed by: silence on -current and -hackers Prodded by: rwatson 2002-06-14 00:14:37 +02:00			`# BEFORE: SERVERS`
Remove the requirement for the FreeBSD keyword as it no longer makes any sense. Discussed with: dougb, brooks MFC after: 3 days 2004-10-07 15:55:26 +02:00			`# KEYWORD: nojail`
Import the NetBSD 1.5 RC system. Note that `rc' and `rc.shutdown' could not be imported because we already have files with those names. 2001-06-16 09:16:14 +02:00
			`. /etc/rc.subr`

			`name="ipmon"`
- Add descriptions to most of the rc scripts. Those are mostly taken from their daemon's manpage and probably improved. - Consistently use "filesystem" not "file system". Approved by: bapt, brueffer Differential Revision: D452 2016-04-23 18:10:54 +02:00			`desc="Monitors /dev/ipl for logged packets"`
Prepare for the removal of set_rcvar() by changing the rcvar= assignments to the literal values it would have returned. The concept of set_rcvar() was nice in theory, but the forks it creates are a drag on the startup process, which is especially noticeable on slower systems, such as embedded ones. During the discussion on freebsd-rc@ a preference was expressed for using ${name}_enable instead of the literal values. However the code portability concept doesn't really apply since there are so many other places where the literal name has to be searched for and replaced. Also, using the literal value is also a tiny bit faster than dereferencing the variables, and every little bit helps. 2012-01-14 03:18:41 +01:00			`rcvar="ipmon_enable"`
Use ${name} in pathnames where appropriate. The sendmail script already was on this way, but it didn't reach the end of it yet. 2005-10-28 18:55:38 +02:00			`command="/sbin/${name}"`
Luke Mewburn has indicated that they (NetBSD) are not interested in keeping the scripts under rc.d in sync with us. So, remove NetBSD specific stuff (which made our scripts more complicated than necessary). The NetBSD ident string will be left intact, both for history and also incase we wish to pull in future versions. 2004-01-17 11:40:45 +01:00			`start_precmd="ipmon_precmd"`
Merge in all the changes that Mike Makonnen has been maintaining for a while. This is only the script pieces, the glue for the build comes next. Submitted by: Mike Makonnen <makonnen@pacbell.net> Reviewed by: silence on -current and -hackers Prodded by: rwatson 2002-06-14 00:14:37 +02:00
			`ipmon_precmd()`
			`{`
Make ipfilter, ipnat, ipmon, and ipfs behave more like the old rc. o group them together so they run one right after another o use the NetBSD supplied ipfs script instead of tacking it on to the end of ipnat o Load the ipl module in ipnat and ipfilter, if it's not already loaded o In ipmon and ipnat show a warning if neither ipfilter nor ipnat is enabled or the ipl module is not loaded, and exit Approved by: markm (mentor) (implicit) Tested by: leafy <leafy@leafy.idv.tw> 2003-04-24 10:20:47 +02:00			`# Continue only if ipfilter or ipnat is enabled and the`
			`# ipfilter module is loaded.`
			`#`
Allow starting /etc/rc.d/ipmon if ipnat is enabled but ipfilter is not (in /etc/rc.conf). This fixes an apparent confusion between test(1) and sh(1) syntax for AND/OR. PR: conf/149036 Submitted by: pluknet MFC after: 1 week 2010-08-01 17:41:00 +02:00			`if ! checkyesno ipfilter_enable && ! checkyesno ipnat_enable ; then`
Make ipfilter, ipnat, ipmon, and ipfs behave more like the old rc. o group them together so they run one right after another o use the NetBSD supplied ipfs script instead of tacking it on to the end of ipnat o Load the ipl module in ipnat and ipfilter, if it's not already loaded o In ipmon and ipnat show a warning if neither ipfilter nor ipnat is enabled or the ipl module is not loaded, and exit Approved by: markm (mentor) (implicit) Tested by: leafy <leafy@leafy.idv.tw> 2003-04-24 10:20:47 +02:00			`err 1 "${name} requires either ipfilter or ipnat enabled"`
			`fi`
ipfilter 5.1.2 no longer supports sysctl. Use ipf -V to determine if available (the kernel module is loaded or compiled into the kernel). Approved by: glebius (mentor) Approved by: re (blanket) 2013-09-10 15:48:33 +02:00			`if ! ${ipfilter_program:-/sbin/ipf} -V \| grep -q 'Running: yes' >/dev/null 2>&1; then`
Make ipfilter, ipnat, ipmon, and ipfs behave more like the old rc. o group them together so they run one right after another o use the NetBSD supplied ipfs script instead of tacking it on to the end of ipnat o Load the ipl module in ipnat and ipfilter, if it's not already loaded o In ipmon and ipnat show a warning if neither ipfilter nor ipnat is enabled or the ipl module is not loaded, and exit Approved by: markm (mentor) (implicit) Tested by: leafy <leafy@leafy.idv.tw> 2003-04-24 10:20:47 +02:00			`err 1 "ipfilter module is not loaded"`
Fix style bugs: * Space -> tabs conversion. * Removed blanks before semicolon in "if ... ; then". * Proper indentation of misindented lines. * Put a full stop after some comments. * Removed whitespace at end of line. Approved by: silence from gordon 2002-10-12 12:31:31 +02:00			`fi`
Merge in all the changes that Mike Makonnen has been maintaining for a while. This is only the script pieces, the glue for the build comes next. Submitted by: Mike Makonnen <makonnen@pacbell.net> Reviewed by: silence on -current and -hackers Prodded by: rwatson 2002-06-14 00:14:37 +02:00			`return 0`
			`}`
Import the NetBSD 1.5 RC system. Note that `rc' and `rc.shutdown' could not be imported because we already have files with those names. 2001-06-16 09:16:14 +02:00
			`load_rc_config $name`
			`run_rc_command "$1"`