diff --git a/ipfilter/config-freebsd b/ipfilter/config-freebsd new file mode 100644 index 000000000..82ee67dff --- /dev/null +++ b/ipfilter/config-freebsd @@ -0,0 +1,9 @@ +ipf_conf=/etc/ipf.rules +ipnat_conf=/etc/ipnat.rules +view_condition=1 +view_comment=0 +ipf=ipf +ipfstat=ipfstat +cluster_mode=0 +ipnat=ipnat +cluster_nat=1 diff --git a/ipfilter/index.cgi b/ipfilter/index.cgi index 857dbfb9d..6a6644720 100755 --- a/ipfilter/index.cgi +++ b/ipfilter/index.cgi @@ -14,7 +14,7 @@ if ($cmd) { } # Get the version number -$vout = `$config{'ipf'} -V 2>&1`; +$vout = &backquote_command("$config{'ipf'} -V 2>&1"); if ($vout =~ /IP\s+Filter:\s+v?(\S+)/i) { $ipf_version = $1; } diff --git a/ipfilter/ipfilter-lib.pl b/ipfilter/ipfilter-lib.pl index 26a773a4d..9a1c7180e 100755 --- a/ipfilter/ipfilter-lib.pl +++ b/ipfilter/ipfilter-lib.pl @@ -76,14 +76,14 @@ while() { $rule->{'action'} = shift(@w); if ($rule->{'action'} eq "block") { # Block can have ICMP return type parameter + print STDERR $w[0],"\n"; if ($w[0] eq "return-rst") { shift(@w); $rule->{'block-return'} = "rst"; } elsif ($w[0] eq "return-icmp" || $w[0] eq "return-icmp-as-dest") { - # XXX is this correct? ie. - # return-icmp ( srcfail ) + # Handle action like return-icmp ( net-unr ) $rule->{'block-return-dest'} = 1 if ($w[0] eq "return-icmp-as-dest"); shift(@w); @@ -91,6 +91,13 @@ while() { $rule->{'block-return'} = shift(@w); shift(@w); # skip ) } + elsif ($w[0] =~ /^(return-icmp|return-icmp-as-dest)\((\S+)\)/) { + # Same as above, with no spaces + $rule->{'block-return-dest'} = 1 + if ($1 eq "return-icmp-as-dest"); + $rule->{'block-return'} = $2; + shift(@w); + } } elsif ($rule->{'action'} eq "log") { # Log action can have several options @@ -197,7 +204,8 @@ while() { $cmt .= $nocmt; goto nextline; } - &error("error parsing IPF line $_ at $w[0] line $lnum"); + &error("error parsing IPF line $_ at $w[0] line $lnum ". + " : remainder ".join(" ", @w)); } # Parse ip options @@ -1216,9 +1224,17 @@ if ($config{'smf'}) { $state eq 'disabled' || $state eq 'offline' || $state eq 'maintenance' ? 1 : 0; } +elsif ($gconfig{'os_type'} eq 'freebsd') { + # Check for built-in rc config + &foreign_require("init"); + local @rc = &init::get_rc_conf(); + local ($rc) = grep { $_->{'name'} eq 'ipfilter_enable' && + $_->{'value'} eq 'YES' } @rc; + return $rc ? 2 : 1; + } else { # Look at init script - &foreign_require("init", "init-lib.pl"); + &foreign_require("init"); return &init::action_status($init_script); } } @@ -1237,6 +1253,17 @@ if ($config{'smf'}) { [ $config{'smf'} ]); } } +elsif ($gconfig{'os_type'} eq 'freebsd') { + # Use built-in config + &foreign_require("init"); + &init::save_rc_conf("ipfilter_enable", "YES"); + &init::save_rc_conf("ipfilter_rules", $config{'ipf_conf'}); + my $natrules = &get_ipnat_config(); + if (@$natrules) { + &init::save_rc_conf("ipnat_enable", "YES"); + &init::save_rc_conf("ipnat_rules", $config{'ipnat_conf'}); + } + } else { # Create or enable init script local $ipf = &has_command($config{'ipf'}); @@ -1244,7 +1271,7 @@ else { local $start = "$ipf -F a\n". "$ipf -f $config{'ipf_conf'}"; local $stop = "$ipf -F a". - &foreign_require("init", "init-lib.pl"); + &foreign_require("init"); &init::enable_at_boot($init_script, "Activate IPfilter firewall", $start, $stop); } @@ -1264,6 +1291,12 @@ if ($config{'smf'}) { [ $config{'smf'} ]); } } +elsif ($gconfig{'os_type'} eq 'freebsd') { + # Use built-in config + &foreign_require("init"); + &init::save_rc_conf("ipfilter_enable", "NO"); + &init::save_rc_conf("ipnat_enable", "NO"); + } else { # Disable init script &foreign_require("init", "init-lib.pl");