* Conditionalize flushing of IPv4 vs IPv6 rules based on the existance

of the appropriate configuration file. Based on PR 28757 from Jason White. * Add comments explaining why we flush separately from the reload (backwards compat with older ipf(8) binaries).
2004-12-23 03:31:54 +00:00 · 2004-12-23 03:31:54 +00:00 · eca6f3c39f
commit eca6f3c39f
parent 3c75d39ba0
1 changed files with 28 additions and 6 deletions
--- a/etc/rc.d/ipfilter
+++ b/etc/rc.d/ipfilter
@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# $NetBSD: ipfilter,v 1.13 2004/11/08 02:09:01 lukem Exp $
+# $NetBSD: ipfilter,v 1.14 2004/12/23 03:31:54 lukem Exp $
 #

 # PROVIDE: ipfilter
@ -26,7 +26,7 @@ ipfilter_prestart()
 {
 	if [ ! -f /etc/ipf.conf ] && [ ! -f /etc/ipf6.conf ]; then
 		warn "/etc/ipf*.conf not readable; ipfilter start aborted."
-			#
+
 			# If booting directly to multiuser, send SIGTERM to
 			# the parent (/etc/rc) to abort the boot
 			#
@ -44,8 +44,18 @@ ipfilter_start()
 {
 	echo "Enabling ipfilter."
 	/sbin/ipf -E
-	/sbin/ipf -Fa
-	/sbin/ipf -6 -Fa
+
+		# Do the flush first; since older ipf has different semantics.
+		#
+	if [ -f /etc/ipf.conf ]; then
+		/sbin/ipf -Fa
+	fi
+	if [ -f /etc/ipf6.conf ]; then
+		/sbin/ipf -6 -Fa
+	fi
+
+		# Now load the config files
+		#
 	if [ -f /etc/ipf.conf ]; then
 		/sbin/ipf -f /etc/ipf.conf
 	fi
@ -64,14 +74,26 @@ ipfilter_reload()
 {
 	echo "Reloading ipfilter rules."

-	/sbin/ipf -I -Fa
-	/sbin/ipf -6 -I -Fa
+		# Do the flush first; since older ipf has different semantics.
+		#
+	if [ -f /etc/ipf.conf ]; then
+		/sbin/ipf -I -Fa
+	fi
+	if [ -f /etc/ipf6.conf ]; then
+		/sbin/ipf -6 -I -Fa
+	fi
+
+		# Now load the config files into the Inactive set
+		#
 	if [ -f /etc/ipf.conf ] && ! /sbin/ipf -I -f /etc/ipf.conf; then
 		err 1 "reload of ipf.conf failed; not swapping to new ruleset."
 	fi
 	if [ -f /etc/ipf6.conf ] && ! /sbin/ipf -I -6 -f /etc/ipf6.conf; then
 		err 1 "reload of ipf6.conf failed; not swapping to new ruleset."
 	fi
+		
+		# Swap in the new rules
+		#
 	/sbin/ipf -s
 }