FreeBSD 9 improvements

ipfilter/config-freebsd

@@ -0,0 +1,9 @@
+ipf_conf=/etc/ipf.rules
+ipnat_conf=/etc/ipnat.rules
+view_condition=1
+view_comment=0
+ipf=ipf
+ipfstat=ipfstat
+cluster_mode=0
+ipnat=ipnat
+cluster_nat=1

ipfilter/index.cgi

@@ -14,7 +14,7 @@ if ($cmd) {
 	}
 
 # Get the version number
-$vout = `$config{'ipf'} -V 2>&1`;
+$vout = &backquote_command("$config{'ipf'} -V 2>&1");
 if ($vout =~ /IP\s+Filter:\s+v?(\S+)/i) {
 	$ipf_version = $1;
 	}

ipfilter/ipfilter-lib.pl

@@ -76,14 +76,14 @@ while(<FILE>) {
 		$rule->{'action'} = shift(@w);
 		if ($rule->{'action'} eq "block") {
 			# Block can have ICMP return type parameter
+			print STDERR $w[0],"\n";
 			if ($w[0] eq "return-rst") {
 				shift(@w);
 				$rule->{'block-return'} = "rst";
 				}
 			elsif ($w[0] eq "return-icmp" ||
 			       $w[0] eq "return-icmp-as-dest") {
-				# XXX is this correct? ie.
-				# return-icmp ( srcfail )
+				# Handle action like return-icmp ( net-unr )
 				$rule->{'block-return-dest'} = 1
 					if ($w[0] eq "return-icmp-as-dest");
 				shift(@w);
@@ -91,6 +91,13 @@ while(<FILE>) {
 				$rule->{'block-return'} = shift(@w);
 				shift(@w);	# skip )
 				}
+			elsif ($w[0] =~ /^(return-icmp|return-icmp-as-dest)\((\S+)\)/) {
+				# Same as above, with no spaces
+				$rule->{'block-return-dest'} = 1
+					if ($1 eq "return-icmp-as-dest");
+				$rule->{'block-return'} = $2;
+				shift(@w);
+				}
 			}
 		elsif ($rule->{'action'} eq "log") {
 			# Log action can have several options
@@ -197,7 +204,8 @@ while(<FILE>) {
 				$cmt .= $nocmt;
 				goto nextline;
 				}
-			&error("error parsing IPF line $_ at $w[0] line $lnum");
+			&error("error parsing IPF line $_ at $w[0] line $lnum ".
+			       " : remainder ".join(" ", @w));
 			}
 
 		# Parse ip options
@@ -1216,9 +1224,17 @@ if ($config{'smf'}) {
 	       $state eq 'disabled' || $state eq 'offline' ||
 	        $state eq 'maintenance' ? 1 : 0;
 	}
+elsif ($gconfig{'os_type'} eq 'freebsd') {
+	# Check for built-in rc config
+	&foreign_require("init");
+	local @rc = &init::get_rc_conf();
+	local ($rc) = grep { $_->{'name'} eq 'ipfilter_enable' &&
+			     $_->{'value'} eq 'YES' } @rc;
+	return $rc ? 2 : 1;
+	}
 else {
 	# Look at init script
-	&foreign_require("init", "init-lib.pl");
+	&foreign_require("init");
 	return &init::action_status($init_script);
 	}
 }
@@ -1237,6 +1253,17 @@ if ($config{'smf'}) {
 				    [ $config{'smf'} ]);
 		}
 	}
+elsif ($gconfig{'os_type'} eq 'freebsd') {
+	# Use built-in config
+	&foreign_require("init");
+	&init::save_rc_conf("ipfilter_enable", "YES");
+	&init::save_rc_conf("ipfilter_rules", $config{'ipf_conf'});
+	my $natrules = &get_ipnat_config();
+	if (@$natrules) {
+		&init::save_rc_conf("ipnat_enable", "YES");
+		&init::save_rc_conf("ipnat_rules", $config{'ipnat_conf'});
+		}
+	}
 else {
 	# Create or enable init script
 	local $ipf = &has_command($config{'ipf'});
@@ -1244,7 +1271,7 @@ else {
 	local $start = "$ipf -F a\n".
 		       "$ipf -f $config{'ipf_conf'}";
 	local $stop = "$ipf -F a".
-	&foreign_require("init", "init-lib.pl");
+	&foreign_require("init");
 	&init::enable_at_boot($init_script, "Activate IPfilter firewall",
 			      $start, $stop);
 	}
@@ -1264,6 +1291,12 @@ if ($config{'smf'}) {
 				    [ $config{'smf'} ]);
 		}
 	}
+elsif ($gconfig{'os_type'} eq 'freebsd') {
+	# Use built-in config
+	&foreign_require("init");
+	&init::save_rc_conf("ipfilter_enable", "NO");
+	&init::save_rc_conf("ipnat_enable", "NO");
+	}
 else {
 	# Disable init script
 	&foreign_require("init", "init-lib.pl");