Add an rc.d script to start pfsync at the right moment of the

system boot, and hook it up in the system. The separate script is needed because in the presence of various interface lists in rc.conf ($network_interfaces, $cloned_interfaces, $sppp_interfaces, $gif_interfaces, more to come) it is hard to start them orderly, so that pfsync is brought up after its syncdev, which is required for the proper startup of pfsync. Discussed with: mlaier on -pf MFC after: 5 days
svn path=/head/; revision=150835
2024-12-21 08:24:10 +01:00 · 2005-10-02 18:59:02 +00:00 · 2005-10-02 18:59:02 +00:00 · c8a0dfab83 · 2020-12-20 02:59:44 +00:00
commit c8a0dfab83
parent 14f9b2291d
5 changed files with 111 additions and 3 deletions
--- a/contrib/pf/man/pfsync.4
+++ b/contrib/pf/man/pfsync.4
@ -129,7 +129,25 @@ dedicated to pfsync messages such as a crossover cable between two firewalls,
 or specify a peer address and protect the traffic with
 .Xr ipsec 4 .
 .Pp
+For
+.Nm
+to start its operation automatically at the system boot time,
+.Va pfsync_enable
+and
+.Va pfsync_syncdev
+variables should be used in
+.Xr rc.conf 5 .
+It is not advisable to set up
+.Nm
+with common network interface configuration variables of
+.Xr rc.conf 5
+because
+.Nm
+must start after its
+.Cm syncdev ,
+which cannot be always ensured in the latter case.
 .\" XXX: not yet!
+.\" .Pp
 .\" There is a one-to-one correspondence between packets seen by
 .\" .Xr bpf 4
 .\" on the
@ -167,14 +185,15 @@ indicated):
 Interfaces configuration in
 .Pa /etc/rc.conf :
 .Bd -literal -offset indent
+network_interfaces="lo0 sis0 sis1 sis2"
 cloned_interfaces="carp0 carp1"
-network_interfaces="lo0 sis0 sis1 sis2 carp0 carp1 pfsync0"
 ifconfig_sis0="10.0.0.254/24"
 ifconfig_sis1="192.168.0.254/24"
 ifconfig_sis2="192.168.254.254/24"
 ifconfig_carp0="vhid 1 pass foo 10.0.0.1/24"
 ifconfig_carp1="vhid 2 pass bar 192.168.0.1/24"
-ifconfig_pfsync0="up syncif sis2"
+pfsync_enable="YES"
+pfsync_syncdev="sis2"
 .Ed
 .Pp
 .Xr pf 4
--- a/etc/defaults/rc.conf
+++ b/etc/defaults/rc.conf
@ -135,6 +135,9 @@ pflog_enable="NO"		# Set to YES to enable packet filter logging
 pflog_logfile="/var/log/pflog"	# where pflogd should store the logfile
 pflog_program="/sbin/pflogd"	# where the pflogd program lives
 pflog_flags=""			# additional flags for pflogd
+pfsync_enable="NO"		# Expose pf state to other hosts for syncing
+pfsync_syncdev=""		# Interface for pfsync to work through
+pfsync_ifconfig=""		# Additional options to ifconfig(8) for pfsync
 tcp_extensions="YES"		# Set to NO to turn off RFC1323 extensions.
 log_in_vain="0"			# >=1 to log connects to ports w/o listeners.
 tcp_keepalive="YES"		# Enable stale TCP connection timeout (or NO).
--- a/etc/rc.d/Makefile
+++ b/etc/rc.d/Makefile
@ -25,7 +25,7 @@ FILES=	DAEMON LOGIN NETWORKING SERVERS \
 	network_ipv6 newsyslog nfsclient nfsd \
 	nfslocking nfsserver nisdomain nsswitch ntpd ntpdate \
 	othermta \
-	pccard pcvt pf pflog \
+	pccard pcvt pf pflog pfsync \
 	powerd power_profile ppp-user pppoed pwcheck \
 	quota \
 	ramdisk ramdisk-own random rarpd rcconf.sh resolv root \
--- a/etc/rc.d/pfsync
+++ b/etc/rc.d/pfsync
@ -0,0 +1,53 @@
+#!/bin/sh
+#
+# $FreeBSD$
+#
+
+# PROVIDE: pfsync
+# REQUIRE: root mountcritlocal netif
+# KEYWORD: nojail
+
+. /etc/rc.subr
+
+name="pfsync"
+rcvar=`set_rcvar`
+start_precmd="pfsync_prestart"
+start_cmd="pfsync_start"
+stop_cmd="pfsync_stop"
+
+pfsync_prestart()
+{
+	case "$pfsync_syncdev" in
+	'')
+		warn "pfsync_syncdev is not set."
+		return 1
+		;;
+	esac
+
+	# load pf kernel module if needed
+	if ! kldstat -q -m pf ; then
+		if kldload pf ; then
+			info "pf module loaded."
+		else
+			warn "pf module failed to load."
+			return 1
+		fi
+	fi
+
+	return 0
+}
+
+pfsync_start()
+{
+	echo "Enabling pfsync."
+	ifconfig pfsync0 syncdev $pfsync_syncdev $pfsync_ifconfig up
+}
+
+pfsync_stop()
+{
+	echo "Disabling pfsync."
+	ifconfig pfsync0 -syncdev down
+}
+
+load_rc_config $name
+run_rc_command "$1"
--- a/share/man/man5/rc.conf.5
+++ b/share/man/man5/rc.conf.5
@ -785,6 +785,38 @@ Empty by default.
 This variable contains additional flags passed to the
 .Xr pflogd 8
 program.
+.It Va pfsync_enable
+.Pq Vt bool
+Set to
+.Dq Li NO
+by default.
+Setting this to
+.Dq Li YES
+enables exposing
+.Xr pf 4
+state changes to other hosts over the network by means of
+.Xr pfsync 4 .
+The
+.Va pfsync_syncdev
+variable
+must also be set then.
+.It Va pfsync_syncdev
+.Pq Vt str
+Empty by default.
+This variable specifies the name of the network interface
+.Xr pfsync 4
+should operate through.
+It must be set accordingly if
+.Va pfsync_enable
+is set to
+.Dq Li YES .
+.It Va pfsync_ifconfig
+.Pq Vt str
+Empty by default.
+This variable can contain additional options to be passed to the
+.Xr ifconfig 8
+command used to set up
+.Xr pfsync 4 .
 .It Va tcp_extensions
 .Pq Vt bool
 Set to
@ -3323,6 +3355,7 @@ device and the mount point will be changed.
 .Xr kld 4 ,
 .Xr pf 4 ,
 .Xr pflog 4 ,
+.Xr pfsync 4 ,
 .Xr tcp 4 ,
 .Xr udp 4 ,
 .Xr exports 5 ,