xref: /illumos-gate/usr/src/cmd/ipf/svc/ipfilter (revision 7c478bd9) 
1#!/sbin/sh
2#
3# ident	"%Z%%M%	%I%	%E% SMI"
4#
5# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
6# Use is subject to license terms.
7#
8
9. /lib/svc/share/smf_include.sh
10
11PATH=${PATH}:/usr/sbin:/usr/lib/ipf
12PIDFILE=/etc/ipf/ipmon.pid
13IPFILCONF=/etc/ipf/ipf.conf
14IP6FILCONF=/etc/ipf/ipf6.conf
15IPNATCONF=/etc/ipf/ipnat.conf
16IPPOOLCONF=/etc/ipf/ippool.conf
17PFILCHECKED=no
18
19id=`/usr/sbin/modinfo 2>&1 | awk '/ipf/ { print $1 } ' - 2>/dev/null`
20if [ -f $PIDFILE ] ; then
21	pid=`cat $PIDFILE 2>/dev/null`
22else
23	pid=`pgrep ipmon`
24fi
25pfildpid=`pgrep pfild`
26
27logmsg()
28{
29	logger -p daemon.warning -t ipfilter "$1"
30	echo "$1" >&2
31}
32
33checkpfil()
34{
35	if [ $PFILCHECKED = yes ] ; then
36		return
37	fi
38	/usr/sbin/ndd /dev/pfil \? 2>&1 > /dev/null
39	if [ $? -ne 0 ] ; then
40		logmsg "pfil not available to support ipfilter"
41		exit $SMF_EXIT_ERR_CONFIG
42	fi
43	realnic=`/sbin/ifconfig -a modlist 2>/dev/null | grep -c pfil`
44	if [ $realnic -eq 0 ] ; then
45		logmsg "pfil not configured for firewall/NAT operation"
46	fi
47	PFILCHECKED=yes
48}
49
50
51load_ipf() {
52	bad=0
53	if [ -r ${IPFILCONF} ]; then
54		checkpfil
55		ipf -IFa -f ${IPFILCONF} >/dev/null
56		if [ $? != 0 ]; then
57			echo "$0: load of ${IPFILCONF} into alternate set failed"
58			bad=1
59		fi
60	fi
61	if [ -r ${IP6FILCONF} ]; then
62		checkpfil
63		ipf -6IFa -f ${IP6FILCONF} >/dev/null
64		if [ $? != 0 ]; then
65			echo "$0: load of ${IPFILCONF} into alternate set failed"
66			bad=1
67		fi
68	fi
69	if [ $bad -eq 0 ] ; then
70		ipf -s -y >/dev/null
71		return 0
72	else
73		echo "Not switching config due to load error."
74		return 1
75	fi
76}
77
78
79load_ipnat() {
80	if [ -r ${IPNATCONF} ]; then
81		checkpfil
82		ipnat -CF -f ${IPNATCONF} >/dev/null
83		if [ $? != 0 ]; then
84			echo "$0: load of ${IPNATCONF} failed"
85			return 1
86		else
87			ipf -y >/dev/null
88			return 0
89		fi
90	else
91		return 0
92	fi
93}
94
95
96load_ippool() {
97	if [ -r ${IPPOOLCONF} ]; then
98		checkpfil
99		ippool -F >/dev/null
100		ippool -f ${IPPOOLCONF} >/dev/null
101		if [ $? != 0 ]; then
102			echo "$0: load of ${IPPOOLCONF} failed"
103			return 1
104		else
105			return 0
106		fi
107	else
108		return 0
109	fi
110}
111
112
113case "$1" in
114	start)
115		[ ! -f ${IPFILCONF} ] && exit 0
116		[ -n "$pfildpid" ] && kill -TERM $pfildpid 2>/dev/null
117		[ -n "$pid" ] && kill -TERM $pid 2>/dev/null
118		/usr/sbin/pfild >/dev/null
119		if load_ippool && load_ipf && load_ipnat ; then
120			ipmon -Ds
121		else
122			exit $SMF_EXIT_ERR_CONFIG
123		fi
124		;;
125
126	stop)
127		[ -n "$pfildpid" ] && kill -TERM $pfildpid
128		[ -n "$pid" ] && kill -TERM $pid
129		;;
130
131	pause)
132		ipfs -l
133		ipfs -NS -w
134		ipf -D
135		if [ -f $PIDFILE ] ; then
136			if kill -0 $pid; then
137				kill -TERM $pid
138			else
139				cp /dev/null $PIDFILE
140			fi
141		fi
142		;;
143
144	resume)
145		ipf -E
146		ipfs -R
147		load_ippool
148		load_ipf
149		load_ipnat
150		if [ -f $PIDFILE -a -n "$pid" ] ; then
151			ipmon -Ds
152		fi
153		;;
154
155	reload)
156		load_ippool
157		load_ipf
158		load_ipnat
159		;;
160
161	reipf)
162		load_ipf
163		;;
164
165	reipnat)
166		load_ipnat
167		;;
168
169	*)
170		echo "Usage: $0 \c" >&2
171		echo "(start|stop|reload|reipf|reipnat|pause|resume)" >&2
172		exit 1
173		;;
174
175esac
176exit $SMF_EXIT_OK
177