xref: /illumos-gate/usr/src/cmd/ipf/svc/ipfilter (revision 049fa28a) 
1#!/sbin/sh
2#
3# ident	"%Z%%M%	%I%	%E% SMI"
4#
5# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
6# Use is subject to license terms.
7#
8
9. /lib/svc/share/smf_include.sh
10
11PATH=${PATH}:/usr/sbin:/usr/lib/ipf
12PIDFILE=/var/run/ipmon.pid
13IPFILCONF=/etc/ipf/ipf.conf
14IP6FILCONF=/etc/ipf/ipf6.conf
15IPNATCONF=/etc/ipf/ipnat.conf
16IPPOOLCONF=/etc/ipf/ippool.conf
17PFILCHECKED=no
18
19id=`/usr/sbin/modinfo 2>&1 | awk '/ipf/ { print $1 } ' - 2>/dev/null`
20if [ -f $PIDFILE ] ; then
21	pid=`cat $PIDFILE 2>/dev/null`
22else
23	pid=`pgrep ipmon`
24fi
25pfildpid=`pgrep pfild`
26
27logmsg()
28{
29	logger -p daemon.warning -t ipfilter "$1"
30	echo "$1" >&2
31}
32
33checkpfil()
34{
35	if [ $PFILCHECKED = yes ] ; then
36		return
37	fi
38	/usr/sbin/ndd /dev/pfil \? 2>&1 > /dev/null
39	if [ $? -ne 0 ] ; then
40		logmsg "pfil not available to support ipfilter"
41		exit $SMF_EXIT_ERR_CONFIG
42	fi
43	realnic=`/sbin/ifconfig -a modlist 2>/dev/null | grep -c pfil`
44	if [ $realnic -eq 0 ] ; then
45		logmsg "pfil not plumbed on any network interfaces."
46		logmsg "No network traffic will be filtered."
47		logmsg "See ipfilter(5) for more information."
48		exit $SMF_EXIT_ERR_CONFIG
49	fi
50	PFILCHECKED=yes
51}
52
53
54load_ipf() {
55	bad=0
56	if [ -r ${IPFILCONF} ]; then
57		checkpfil
58		ipf -IFa -f ${IPFILCONF} >/dev/null
59		if [ $? != 0 ]; then
60			echo "$0: load of ${IPFILCONF} into alternate set failed"
61			bad=1
62		fi
63	fi
64	if [ -r ${IP6FILCONF} ]; then
65		checkpfil
66		ipf -6IFa -f ${IP6FILCONF} >/dev/null
67		if [ $? != 0 ]; then
68			echo "$0: load of ${IPFILCONF} into alternate set failed"
69			bad=1
70		fi
71	fi
72	if [ $bad -eq 0 ] ; then
73		ipf -s -y >/dev/null
74		return 0
75	else
76		echo "Not switching config due to load error."
77		return 1
78	fi
79}
80
81
82load_ipnat() {
83	if [ -r ${IPNATCONF} ]; then
84		checkpfil
85		ipnat -CF -f ${IPNATCONF} >/dev/null
86		if [ $? != 0 ]; then
87			echo "$0: load of ${IPNATCONF} failed"
88			return 1
89		else
90			ipf -y >/dev/null
91			return 0
92		fi
93	else
94		return 0
95	fi
96}
97
98
99load_ippool() {
100	if [ -r ${IPPOOLCONF} ]; then
101		checkpfil
102		ippool -F >/dev/null
103		ippool -f ${IPPOOLCONF} >/dev/null
104		if [ $? != 0 ]; then
105			echo "$0: load of ${IPPOOLCONF} failed"
106			return 1
107		else
108			return 0
109		fi
110	else
111		return 0
112	fi
113}
114
115
116case "$1" in
117	start)
118		[ ! -f ${IPFILCONF} ] && exit 0
119		[ -n "$pfildpid" ] && kill -TERM $pfildpid 2>/dev/null
120		[ -n "$pid" ] && kill -TERM $pid 2>/dev/null
121		/usr/sbin/pfild >/dev/null
122		if load_ippool && load_ipf && load_ipnat ; then
123			/usr/sbin/ipmon -Ds
124		else
125			exit $SMF_EXIT_ERR_CONFIG
126		fi
127		;;
128
129	stop)
130		[ -n "$pfildpid" ] && kill -TERM $pfildpid
131		[ -n "$pid" ] && kill -TERM $pid
132		;;
133
134	pause)
135		ipfs -l
136		ipfs -NS -w
137		ipf -D
138		if [ -f $PIDFILE ] ; then
139			if kill -0 $pid; then
140				kill -TERM $pid
141			else
142				cp /dev/null $PIDFILE
143			fi
144		fi
145		;;
146
147	resume)
148		ipf -E
149		ipfs -R
150		load_ippool
151		load_ipf
152		load_ipnat
153		if [ -f $PIDFILE -a -n "$pid" ] ; then
154			/usr/sbin/ipmon -Ds
155		fi
156		;;
157
158	reload)
159		load_ippool
160		load_ipf
161		load_ipnat
162		;;
163
164	reipf)
165		load_ipf
166		;;
167
168	reipnat)
169		load_ipnat
170		;;
171
172	*)
173		echo "Usage: $0 \c" >&2
174		echo "(start|stop|reload|reipf|reipnat|pause|resume)" >&2
175		exit 1
176		;;
177
178esac
179exit $SMF_EXIT_OK
180