Add an rc.d script to start pfsync at the right moment of the

system boot, and hook it up in the system.

The separate script is needed because in the presence of various
interface lists in rc.conf ($network_interfaces, $cloned_interfaces,
$sppp_interfaces, $gif_interfaces, more to come) it is hard to start
them orderly, so that pfsync is brought up after its syncdev, which
is required for the proper startup of pfsync.

Discussed with:	mlaier on -pf
MFC after:	5 days
This commit is contained in:
Yaroslav Tykhiy 2005-10-02 18:59:02 +00:00
parent 14f9b2291d
commit c8a0dfab83
Notes: svn2git 2020-12-20 02:59:44 +00:00
svn path=/head/; revision=150835
5 changed files with 111 additions and 3 deletions
contrib/pf/man
etc
share/man/man5

View File

@ -129,7 +129,25 @@ dedicated to pfsync messages such as a crossover cable between two firewalls,
or specify a peer address and protect the traffic with or specify a peer address and protect the traffic with
.Xr ipsec 4 . .Xr ipsec 4 .
.Pp .Pp
For
.Nm
to start its operation automatically at the system boot time,
.Va pfsync_enable
and
.Va pfsync_syncdev
variables should be used in
.Xr rc.conf 5 .
It is not advisable to set up
.Nm
with common network interface configuration variables of
.Xr rc.conf 5
because
.Nm
must start after its
.Cm syncdev ,
which cannot be always ensured in the latter case.
.\" XXX: not yet! .\" XXX: not yet!
.\" .Pp
.\" There is a one-to-one correspondence between packets seen by .\" There is a one-to-one correspondence between packets seen by
.\" .Xr bpf 4 .\" .Xr bpf 4
.\" on the .\" on the
@ -167,14 +185,15 @@ indicated):
Interfaces configuration in Interfaces configuration in
.Pa /etc/rc.conf : .Pa /etc/rc.conf :
.Bd -literal -offset indent .Bd -literal -offset indent
network_interfaces="lo0 sis0 sis1 sis2"
cloned_interfaces="carp0 carp1" cloned_interfaces="carp0 carp1"
network_interfaces="lo0 sis0 sis1 sis2 carp0 carp1 pfsync0"
ifconfig_sis0="10.0.0.254/24" ifconfig_sis0="10.0.0.254/24"
ifconfig_sis1="192.168.0.254/24" ifconfig_sis1="192.168.0.254/24"
ifconfig_sis2="192.168.254.254/24" ifconfig_sis2="192.168.254.254/24"
ifconfig_carp0="vhid 1 pass foo 10.0.0.1/24" ifconfig_carp0="vhid 1 pass foo 10.0.0.1/24"
ifconfig_carp1="vhid 2 pass bar 192.168.0.1/24" ifconfig_carp1="vhid 2 pass bar 192.168.0.1/24"
ifconfig_pfsync0="up syncif sis2" pfsync_enable="YES"
pfsync_syncdev="sis2"
.Ed .Ed
.Pp .Pp
.Xr pf 4 .Xr pf 4

View File

@ -135,6 +135,9 @@ pflog_enable="NO" # Set to YES to enable packet filter logging
pflog_logfile="/var/log/pflog" # where pflogd should store the logfile pflog_logfile="/var/log/pflog" # where pflogd should store the logfile
pflog_program="/sbin/pflogd" # where the pflogd program lives pflog_program="/sbin/pflogd" # where the pflogd program lives
pflog_flags="" # additional flags for pflogd pflog_flags="" # additional flags for pflogd
pfsync_enable="NO" # Expose pf state to other hosts for syncing
pfsync_syncdev="" # Interface for pfsync to work through
pfsync_ifconfig="" # Additional options to ifconfig(8) for pfsync
tcp_extensions="YES" # Set to NO to turn off RFC1323 extensions. tcp_extensions="YES" # Set to NO to turn off RFC1323 extensions.
log_in_vain="0" # >=1 to log connects to ports w/o listeners. log_in_vain="0" # >=1 to log connects to ports w/o listeners.
tcp_keepalive="YES" # Enable stale TCP connection timeout (or NO). tcp_keepalive="YES" # Enable stale TCP connection timeout (or NO).

View File

@ -25,7 +25,7 @@ FILES= DAEMON LOGIN NETWORKING SERVERS \
network_ipv6 newsyslog nfsclient nfsd \ network_ipv6 newsyslog nfsclient nfsd \
nfslocking nfsserver nisdomain nsswitch ntpd ntpdate \ nfslocking nfsserver nisdomain nsswitch ntpd ntpdate \
othermta \ othermta \
pccard pcvt pf pflog \ pccard pcvt pf pflog pfsync \
powerd power_profile ppp-user pppoed pwcheck \ powerd power_profile ppp-user pppoed pwcheck \
quota \ quota \
ramdisk ramdisk-own random rarpd rcconf.sh resolv root \ ramdisk ramdisk-own random rarpd rcconf.sh resolv root \

53
etc/rc.d/pfsync Normal file
View File

@ -0,0 +1,53 @@
#!/bin/sh
#
# $FreeBSD$
#
# PROVIDE: pfsync
# REQUIRE: root mountcritlocal netif
# KEYWORD: nojail
. /etc/rc.subr
name="pfsync"
rcvar=`set_rcvar`
start_precmd="pfsync_prestart"
start_cmd="pfsync_start"
stop_cmd="pfsync_stop"
pfsync_prestart()
{
case "$pfsync_syncdev" in
'')
warn "pfsync_syncdev is not set."
return 1
;;
esac
# load pf kernel module if needed
if ! kldstat -q -m pf ; then
if kldload pf ; then
info "pf module loaded."
else
warn "pf module failed to load."
return 1
fi
fi
return 0
}
pfsync_start()
{
echo "Enabling pfsync."
ifconfig pfsync0 syncdev $pfsync_syncdev $pfsync_ifconfig up
}
pfsync_stop()
{
echo "Disabling pfsync."
ifconfig pfsync0 -syncdev down
}
load_rc_config $name
run_rc_command "$1"

View File

@ -785,6 +785,38 @@ Empty by default.
This variable contains additional flags passed to the This variable contains additional flags passed to the
.Xr pflogd 8 .Xr pflogd 8
program. program.
.It Va pfsync_enable
.Pq Vt bool
Set to
.Dq Li NO
by default.
Setting this to
.Dq Li YES
enables exposing
.Xr pf 4
state changes to other hosts over the network by means of
.Xr pfsync 4 .
The
.Va pfsync_syncdev
variable
must also be set then.
.It Va pfsync_syncdev
.Pq Vt str
Empty by default.
This variable specifies the name of the network interface
.Xr pfsync 4
should operate through.
It must be set accordingly if
.Va pfsync_enable
is set to
.Dq Li YES .
.It Va pfsync_ifconfig
.Pq Vt str
Empty by default.
This variable can contain additional options to be passed to the
.Xr ifconfig 8
command used to set up
.Xr pfsync 4 .
.It Va tcp_extensions .It Va tcp_extensions
.Pq Vt bool .Pq Vt bool
Set to Set to
@ -3323,6 +3355,7 @@ device and the mount point will be changed.
.Xr kld 4 , .Xr kld 4 ,
.Xr pf 4 , .Xr pf 4 ,
.Xr pflog 4 , .Xr pflog 4 ,
.Xr pfsync 4 ,
.Xr tcp 4 , .Xr tcp 4 ,
.Xr udp 4 , .Xr udp 4 ,
.Xr exports 5 , .Xr exports 5 ,