ipfw: create "ipfw0" and "ipfwlog0" bpf tapping points without ifnet(9)

As a free bonus the tapping points are now able to match packet direction.

Reviewed by: ae
Differential Revision: https://re

ipfw: create "ipfw0" and "ipfwlog0" bpf tapping points without ifnet(9)

As a free bonus the tapping points are now able to match packet direction.

Reviewed by: ae
Differential Revision: https://reviews.freebsd.org/D53875

show more ...

rc.d: add a service jails config to all base system services

This gives more permissions to services (e.g. network access to
services which require this) when they are started as an automatic
servic

rc.d: add a service jails config to all base system services

This gives more permissions to services (e.g. network access to
services which require this) when they are started as an automatic
service jail.

The sshd patch is important for the sshd-related functionality as
described in the man-page in the service jails part.

The location of the added env vars is supposed to allow overriding them
in rc.conf, and to hard-disable the use of svcj for some parts where it
doesn't make sense or will not work.

Only a subset of all of the services are fully tested (I'm running this
since more than a year with various services started as service jails).
The untested parts should be most of the time ok, in some edge-cases
more permissions are needed inside the service jail.
Differential Revision: https://reviews.freebsd.org/D40371

show more ...

Remove $FreeBSD$: one-line sh pattern

Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/

ipfw: reload sysctl.conf variables if needed

Currently ipfw has multiple components that are not parts
of GENERIC kernel like dummynet etc. They can bring in important
sysctls if enabled with rc.con

ipfw: reload sysctl.conf variables if needed

Currently ipfw has multiple components that are not parts
of GENERIC kernel like dummynet etc. They can bring in important
sysctls if enabled with rc.conf(5) and loaded with ipfw startup script
by means of "required_modules" after initial consult
with /etc/sysctl.conf at boot time. Here is an example of one
increasing limit for dummynet hold queues that defaults to 100:

net.inet.ip.dummynet.pipe_slot_limit=1000

This makes it possible to use ipfw/dummynet rules such as:

ipfw pipe 1 config bw 50Mbit/s queue 1000

Such rule is rejected unless above sysctl is applied.
Another example is a group of net.inet.ip.alias.* sysctls
created after libalias.ko loaded as dependency of ipfw_nat.

This is not a problem if corresponding code compiled in custom kernel
so sysctls exist when sysctl.conf is read early or kernel modules
loaded with a loader. This change makes it work also for GENERIC
and modules loaded by means of rc.conf(5) settings.

MFC after: 1 month

show more ...

service/ipfw: Silence warning on restart

Once the ipfw0 interface has been created, ifconfig(8) create will
throw a warning: ifconfig: create: bad value' when trying to create it
again.

PR: 241013

service/ipfw: Silence warning on restart

Once the ipfw0 interface has been created, ifconfig(8) create will
throw a warning: ifconfig: create: bad value' when trying to create it
again.

PR: 241013
Submitted by: Jose Luis Duran
Approved by: kp
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D30083

show more ...

Fix the ipfw service status output when ipfw.ko isn't loaded

Reported by: lme
Reviewed by: lme
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D27657

Remove excess spaces from rc.d scripts

The space between words is already being echoed by the space between quoted strings:

% echo 'foo' 'bar'
foo bar

% echo 'foo' ' baz'
foo baz

Remove excess spaces from rc.d scripts

The space between words is already being echoed by the space between quoted strings:

% echo 'foo' 'bar'
foo bar

% echo 'foo' ' baz'
foo baz

Found in `ipfw` and `mountlate` messages.

PR: 247948
Submitted by: Jose Luis Duran <jlduran@gmail.com>
MFC after: 2 weeks
Sponsored by: Klara Inc.

show more ...

libexec/rc/rc.d/ipfw: style fix after r356943

Also, make sure it does not break for systems without ipfw code loaded.

MFC after: 1 months
X-MFC-with: 356943

Correct "service ipfw status" for INET6-only systems.

MFC after: 1 month

Add ability to automatically load ipfw_nat64, ipfw_nptv6 and ipfw_pmod
modules by declaring corresponding variables in rc.conf. Also document
them in rc.conf(5).

Submitted by: Dries Michiels
Differe

Add ability to automatically load ipfw_nat64, ipfw_nptv6 and ipfw_pmod
modules by declaring corresponding variables in rc.conf. Also document
them in rc.conf(5).

Submitted by: Dries Michiels
Differential Revision: https://reviews.freebsd.org/D19673

show more ...

Move the rc framework out of sbin/init into libexec/rc.

The reasons for this are forward looking to pkgbase:
* /sbin/init is a special binary; try not to replace it with
every package update bec

Move the rc framework out of sbin/init into libexec/rc.

The reasons for this are forward looking to pkgbase:
* /sbin/init is a special binary; try not to replace it with
every package update because an rc script was touched.
(a follow-up commit will make init its own package)
* having rc in its own place will allow more easy replacement
of the rc framework with alternatives, such as openrc.

Discussed with: brd (during BSDCam), kmoore
Requested by: cem, bz
PR: 231522
Approved by: re (gjb)

show more ...

Move rc startup scripts from etc/ to sbin/init/

This keeps most startup scripts as CONFS per discussion on src-committers from
back during BSDCan.

Approved by: will (mentor)
Differential Revision:

Move rc startup scripts from etc/ to sbin/init/

This keeps most startup scripts as CONFS per discussion on src-committers from
back during BSDCan.

Approved by: will (mentor)
Differential Revision: https://reviews.freebsd.org/D16466

show more ...

ipfw: fix status if ipfw.ko is not loaded

If the ipfw module is not loaded the net.inet.ip.fw.enable OID does not exist,
which leads the script to report errors and incorrectly report that ipfw is
e

ipfw: fix status if ipfw.ko is not loaded

If the ipfw module is not loaded the net.inet.ip.fw.enable OID does not exist,
which leads the script to report errors and incorrectly report that ipfw is
enabled.

show more ...

ipfw: fix whitespace

No functional changes.

The firewall_type is ignored if not set in rc.conf or rc.conf.local,
after r190575 there is an option to call rc.firewall with the firewall_type
passed in as an argument.

Submitted by: David P. Disc

The firewall_type is ignored if not set in rc.conf or rc.conf.local,
after r190575 there is an option to call rc.firewall with the firewall_type
passed in as an argument.

Submitted by: David P. Discher <dpd@dpdtech.com>
MFC after: 3 weeks.
Sponsored by: iXsystems Inc.
Differential Revision: https://reviews.freebsd.org/D14286

show more ...

Add ipfw_status command to etc/rc.d/ipfw

This is helpful when using service/conf management tools.

Sonsored-By: Gandi.net

Silence sysctl in startup scripts.

This makes 'stop' behave consistently with 'start' in the script.
Also use $SYSCTL instead of sysctl for consistency within that script.

MFC after: 3 weeks

- Add descriptions to most of the rc scripts. Those are mostly taken from their
daemon's manpage and probably improved.
- Consistently use "filesystem" not "file system".

Approved by: bapt, brueff

- Add descriptions to most of the rc scripts. Those are mostly taken from their
daemon's manpage and probably improved.
- Consistently use "filesystem" not "file system".

Approved by: bapt, brueffer
Differential Revision: D452

show more ...

Refine the "nojail" rc keyword, adding "nojailvnet" for files that don't
apply to most jails but do apply to vnet jails. This includes adding
a new sysctl "security.jail.vnet" to identify vnet jails

Refine the "nojail" rc keyword, adding "nojailvnet" for files that don't
apply to most jails but do apply to vnet jails. This includes adding
a new sysctl "security.jail.vnet" to identify vnet jails.

PR: conf/149050
Submitted by: mdodd
MFC after: 3 days

show more ...

Load ipdivert.ko when natd_enable=YES.

PR: conf/167566

Make ipfw0 logging pseudo-interface clonable. It can be created automatically
by $firewall_logif rc.conf(5) variable at boot time or manually by ifconfig(8)
after a boot.

Discussed on: freebsd-ipfw@

Replace ${SYSCTL_W} with ${SYSCTL} in rc.d scripts, as they are identical.
This is a further clean up after r202988.

SYSCTL_W is still initialized in rc.subr as some ports may still use it.

Remove trailing white space. No functional changes.

Introduce new rc.conf variable firewall_coscripts. It can be used to
specify list of executables and/or rc scripts that should be executed
after firewall starts/stops.

Submitted by: Yuri Kurenkov <y

Introduce new rc.conf variable firewall_coscripts. It can be used to
specify list of executables and/or rc scripts that should be executed
after firewall starts/stops.

Submitted by: Yuri Kurenkov <y dot kurenkov at init dot ru>
Reviewed by: rhodes, rc@
MFC after: 1 week

show more ...

Unify rc.firewall and rc.firewall6, and obsolete rc.firewall6
and rc.d/ip6fw.

Reviewed by: dougb, jhb
MFC after: 1 month