From owner-svn-src-all@FreeBSD.ORG  Tue Feb 16 19:00:48 2010
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6200C1065693;
	Tue, 16 Feb 2010 19:00:48 +0000 (UTC)
	(envelope-from emax@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 4E3548FC1D;
	Tue, 16 Feb 2010 19:00:48 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id o1GJ0mih007373;
	Tue, 16 Feb 2010 19:00:48 GMT (envelope-from emax@svn.freebsd.org)
Received: (from emax@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id o1GJ0mV3007369;
	Tue, 16 Feb 2010 19:00:48 GMT (envelope-from emax@svn.freebsd.org)
Message-Id: <201002161900.o1GJ0mV3007369@svn.freebsd.org>
From: Maksim Yevmenkin <emax@FreeBSD.org>
Date: Tue, 16 Feb 2010 19:00:48 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
X-SVN-Group: stable-8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r203962 - in stable/8: etc/defaults etc/rc.d
	share/man/man5
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
	user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Feb 2010 19:00:48 -0000

Author: emax
Date: Tue Feb 16 19:00:47 2010
New Revision: 203962
URL: http://svn.freebsd.org/changeset/base/203962

Log:
  MFC: r203676
  
  Introduce new rc.conf variable firewall_coscripts. It can be used to
  specify list of executables and/or rc scripts that should be executed
  after firewall starts/stops.
  
  Submitted by:	Yuri Kurenkov <y dot kurenkov at init dot ru>
  Reviewed by:	rhodes, rc@

Modified:
  stable/8/etc/defaults/rc.conf
  stable/8/etc/rc.d/ipfw
  stable/8/share/man/man5/rc.conf.5
Directory Properties:
  stable/8/etc/   (props changed)
  stable/8/share/man/man5/   (props changed)

Modified: stable/8/etc/defaults/rc.conf
==============================================================================
--- stable/8/etc/defaults/rc.conf	Tue Feb 16 18:10:35 2010	(r203961)
+++ stable/8/etc/defaults/rc.conf	Tue Feb 16 19:00:47 2010	(r203962)
@@ -118,6 +118,8 @@ firewall_type="UNKNOWN"		# Firewall type
 firewall_quiet="NO"		# Set to YES to suppress rule display
 firewall_logging="NO"		# Set to YES to enable events logging
 firewall_flags=""		# Flags passed to ipfw when type is a file
+firewall_coscripts=""		# List of executables/scripts to run after
+				# firewall starts/stops
 firewall_client_net="192.0.2.0/24" # Network address for "client" firewall.
 firewall_simple_iif="ed1"	# Inside network interface for "simple"
 				# firewall.

Modified: stable/8/etc/rc.d/ipfw
==============================================================================
--- stable/8/etc/rc.d/ipfw	Tue Feb 16 18:10:35 2010	(r203961)
+++ stable/8/etc/rc.d/ipfw	Tue Feb 16 19:00:47 2010	(r203962)
@@ -14,6 +14,7 @@ name="ipfw"
 rcvar="firewall_enable"
 start_cmd="ipfw_start"
 start_precmd="ipfw_prestart"
+start_postcmd="ipfw_poststart"
 stop_cmd="ipfw_stop"
 required_modules="ipfw"
 
@@ -40,9 +41,6 @@ ipfw_start()
 	[ -z "${firewall_script}" ] && firewall_script=/etc/rc.firewall
 
 	if [ -r "${firewall_script}" ]; then
-		if [ -f /etc/rc.d/natd ] ; then
-			/etc/rc.d/natd quietstart
-		fi
 		/bin/sh "${firewall_script}" "${_firewall_type}"
 		echo 'Firewall rules loaded.'
 	elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then
@@ -57,6 +55,19 @@ ipfw_start()
 		echo 'Firewall logging enabled.'
 		sysctl net.inet.ip.fw.verbose=1 >/dev/null
 	fi
+}
+
+ipfw_poststart()
+{
+	local	_coscript
+
+	# Start firewall coscripts
+	#
+	for _coscript in ${firewall_coscripts} ; do
+		if [ -f "${_coscript}" ]; then
+			${_coscript} quietstart
+		fi
+	done
 
 	# Enable the firewall
 	#
@@ -67,13 +78,22 @@ ipfw_start()
 
 ipfw_stop()
 {
+	local	_coscript
+
 	# Disable the firewall
 	#
 	${SYSCTL_W} net.inet.ip.fw.enable=0
-	if [ -f /etc/rc.d/natd ] ; then
-		/etc/rc.d/natd quietstop
-	fi
+
+	# Stop firewall coscripts
+	#
+	for _coscript in `reverse_list ${firewall_coscripts}` ; do
+		if [ -f "${_coscript}" ]; then
+			${_coscript} quietstop
+		fi
+	done
 }
 
 load_rc_config $name
+firewall_coscripts="/etc/rc.d/natd ${firewall_coscripts}"
+
 run_rc_command $*

Modified: stable/8/share/man/man5/rc.conf.5
==============================================================================
--- stable/8/share/man/man5/rc.conf.5	Tue Feb 16 18:10:35 2010	(r203961)
+++ stable/8/share/man/man5/rc.conf.5	Tue Feb 16 19:00:47 2010	(r203962)
@@ -512,6 +512,10 @@ specifies a filename.
 .Pq Vt str
 The IPv6 equivalent of
 .Va firewall_flags .
+.It Va firewall_coscripts
+.Pq Vt str
+List of executables and/or rc scripts to run after firewall starts/stops.
+Default is empty.
 .\" ----- firewall_nat_enable setting --------------------------------
 .It Va firewall_nat_enable
 .Pq Vt bool