Index: src-sh/warden/bin/warden =================================================================== --- src-sh/warden/bin/warden (revision 9bf0d710ee29ed8b579d6be7d6ab22782e8c3368) +++ src-sh/warden/bin/warden (revision 17235d67e0eb528cffe1fd55a662fd77514f1b20) @@ -92,5 +92,5 @@ defaultrouter-ipv4: Lets you see the default IPv4 router for this jail defaultrouter-ipv6: Lets you see the default IPv6 router for this jail - flags: Lets you see additional flags to pass to the 'jail' command at startup + flags: Lets you see additional flags to pass to the 'jail' command at startup Usage: @@ -127,5 +127,5 @@ defaultrouter-ipv4: Lets you set the default IPv4 router for this jail defaultrouter-ipv6: Lets you set the default IPv6 router for this jail - flags: Lets you set additional flags to pass to the 'jail' command at startup + flags: Lets you set additional flags to pass to the 'jail' command at startup Usage: @@ -806,7 +806,7 @@ ${PROGDIR}/bin/warden-gui ;; - list) require_root - shift - ${PROGDIR}/scripts/backend/listjails.sh $* ;; + list) require_root + shift + ${PROGDIR}/scripts/backend/listjails.sh $* ;; start) require_root @@ -1037,7 +1037,7 @@ IP4="OFF" IP6="OFF" - SOURCE="NO" + SRC="NO" PORTS="NO" - STARTUP="NO" + AUTOSTART="NO" VANILLA="NO" VERSION= @@ -1055,10 +1055,10 @@ ;; - --src) SOURCE="YES" ;; + --src) SRC="YES" ;; --ports) PORTS="YES" ;; - --startauto) STARTUP="YES" ;; + --startauto) AUTOSTART="YES" ;; --vanilla) VANILLA="YES" ;; --portjail) JAILTYPE="portjail" ;; - --pluginjail) JAILTYPE="pluginjail" ;; + --pluginjail) JAILTYPE="pluginjail" ; VANILLA="YES" ;; --linuxjail) JAILTYPE="linuxjail" ; shift if [ -z "$1" ] ; then exit_err "No linux setup script specified!"; fi @@ -1108,7 +1108,7 @@ export IP4 export IP6 - export SOURCE + export SRC export PORTS - export STARTUP + export AUTOSTART export JAILTYPE export ARCHIVE_FILE Index: src-sh/warden/conf/warden.conf =================================================================== --- src-sh/warden/conf/warden.conf (revision 0988d23ad27d05ccab63607eec517722ccdbdba5) +++ src-sh/warden/conf/warden.conf (revision 17235d67e0eb528cffe1fd55a662fd77514f1b20) @@ -11,2 +11,5 @@ # Location of the jails JDIR: /usr/jails + +# FreeBSD release to use +FREEBSD_RELEASE: 9.1-RELEASE Index: src-sh/warden/pluginjail-packages =================================================================== --- src-sh/warden/pluginjail-packages (revision 17235d67e0eb528cffe1fd55a662fd77514f1b20) +++ src-sh/warden/pluginjail-packages (revision 17235d67e0eb528cffe1fd55a662fd77514f1b20) @@ -0,0 +1,38 @@ +devel/libtool +converters/libiconv +lang/perl5.14 +converters/iconv +devel/pkgconf +devel/gettext +databases/db46 +lang/python27 +dns/py-dnspython +databases/tdb +devel/pcre +databases/sqlite3 +databases/py-sqlite3 +databases/py-bsddb3 +devel/py-distribute +devel/py-asn1 +devel/py-asn1-modules +www/py-flup +textproc/libxml2 +textproc/py-libxml2 +textproc/expat2 +devel/libltdl +devel/py-ipaddr +converters/base64 +devel/libffi +devel/glib20 +devel/gamin +devel/gio-fam-backend +sysutils/gnome_subr +devel/dbus OPTIONS_FILE_UNSET+=X11 +devel/dbus-glib OPTIONS_FILE_UNSET+=X11 +devel/libdaemon +databases/gdbm +textproc/py-xml +dns/libidn +ftp/wget +devel/py-lockfile +devel/py-daemon Index: src-sh/warden/scripts/backend/createjail.sh =================================================================== --- src-sh/warden/scripts/backend/createjail.sh (revision 90a056e278ee336340fb5065a8f0ef8535202ad3) +++ src-sh/warden/scripts/backend/createjail.sh (revision 17235d67e0eb528cffe1fd55a662fd77514f1b20) @@ -23,5 +23,5 @@ fi - if [ "$STARTUP" = "YES" ] ; then + if [ "$AUTOSTART" = "YES" ] ; then touch "${JMETADIR}/autostart" fi @@ -69,5 +69,5 @@ # If we are auto-starting the jail, do it now - if [ "$STARTUP" = "YES" ] ; then warden start ${JAILNAME} ; fi + if [ "$AUTOSTART" = "YES" ] ; then warden start ${JAILNAME} ; fi echo "Success! Linux jail created at ${JAILDIR}" @@ -87,23 +87,19 @@ esac -if [ -z "${VERSION}" -a -e "/etc/version" ] ; then VERSION=`cat /etc/version`; fi - # Location of the chroot environment isDirZFS "${JDIR}" if [ $? -eq 0 ] ; then - if [ "${PLUGINJAIL}" = "YES" ] ; then - WORLDCHROOT="${JDIR}/.warden-pj-chroot-${ARCH}" - else - WORLDCHROOT="${JDIR}/.warden-chroot-${ARCH}" - fi - export WORLDCHROOT + WORLDCHROOT_PLUGINJAIL="${JDIR}/.warden-pj-chroot-${ARCH}" + WORLDCHROOT_STANDARD="${JDIR}/.warden-chroot-${ARCH}" else - if [ "${PLUGINJAIL}" = "YES" ] ; then - WORLDCHROOT="${JDIR}/.warden-pj-chroot-${ARCH}.tbz" - else - WORLDCHROOT="${JDIR}/.warden-chroot-${ARCH}.tbz" - fi - export WORLDCHROOT -fi + WORLDCHROOT_PLUGINJAIL="${JDIR}/.warden-pj-chroot-${ARCH}.tbz" + WORLDCHROOT_STANDARD="${JDIR}/.warden-chroot-${ARCH}.tbz" +fi +if [ "${PLUGINJAIL}" = "YES" ] ; then + WORLDCHROOT="${WORLDCHROOT_PLUGINJAIL}" +else + WORLDCHROOT="${WORLDCHROOT_STANDARD}" +fi +export WORLDCHROOT WORLDCHROOT_PLUGINJAIL WORLDCHROOT_STANDARD if [ "${IP4}" != "OFF" ] ; then @@ -118,5 +114,5 @@ IP6="${JIP}" MASK6="${JMASK}" - if [ -z "$MASK4" ] ; then MASK6="64"; fi + if [ -z "$MASK6" ] ; then MASK6="64"; fi fi @@ -126,13 +122,7 @@ fi -if [ -z "${HOST}" -o -z "$SOURCE" -o -z "${PORTS}" -o -z "${STARTUP}" ] -then - if [ -z "$HOST" ] ; then - echo "ERROR: Missing hostname!" - else - echo "ERROR: Missing required data!" - fi - - exit 6 +if [ -z "$HOST" ] ; then + echo "ERROR: Missing hostname!" + exit 6 fi @@ -168,9 +158,43 @@ # Check if we need to download the chroot file + +# +# If this is a pluginjail, we clone a regular freebsd chroot, then we +# bootstrap packageng, install the required packages that a pluginjail +# needs, then snapshot it. Once this is done, creating a pluginjail is +# as easy as doing a zfs clone. +# if [ "${PLUGINJAIL}" = "YES" -a ! -e "${WORLDCHROOT}" ] ; then - downloadpluginjail "${VERSION}" + if [ ! -e "${WORLDCHROOT_STANDARD}" ] ; then + downloadchroot "${WORLDCHROOT_STANDARD}" + fi + + isDirZFS "${JDIR}" + if [ $? -eq 0 ] ; then + tank=`getZFSTank "$JDIR"` + zfsp=`getZFSRelativePath "${WORLDCHROOT_STANDARD}"` + clonep="/$(basename ${WORLDCHROOT_PLUGINJAIL})" + + mnt=`getZFSMountpoint ${tank}` + pjdir="${mnt}${clonep}" + + zfs clone ${tank}${zfsp}@clean ${tank}${clonep} + if [ $? -ne 0 ] ; then exit_err "Failed creating clean ZFS pluginjail clone"; fi + + cp /etc/resolv.conf ${pjdir}/etc/resolv.conf + + bootstrap_pkgng "${pjdir}" "pluginjail" + + zfs snapshot ${tank}${clonep}@clean + if [ $? -ne 0 ] ; then exit_err "Failed creating clean ZFS pluginjail snapshot"; fi + + # We're on UFS :-( + else + downloadchroot "${WORLDCHROOT_STANDARD}" + + fi elif [ ! -e "${WORLDCHROOT}" -a "${LINUXJAIL}" != "YES" ] ; then - downloadchroot + downloadchroot "${WORLDCHROOT}" fi @@ -212,4 +236,10 @@ tar xvf ${WORLDCHROOT} -C "${JAILDIR}" 2>/dev/null fi + + # If this is a pluginjail on UFS :-( Do things the hard way. + if [ "${PLUGINJAIL}" = "YES" ] ; then + bootstrap_pkgng "${pjdir}" "pluginjail" + fi + echo "Done" fi @@ -286,8 +316,8 @@ if [ "${IP4}" != "OFF" ] ; then - echo "${IP4} ${HOST}" > "${JAILDIR}/etc/hosts" + echo "${IP4} ${HOST}" >> "${JAILDIR}/etc/hosts" fi if [ "${IP6}" != "OFF" ] ; then - echo "${IP6} ${HOST}" > "${JAILDIR}/etc/hosts" + echo "${IP6} ${HOST}" >> "${JAILDIR}/etc/hosts" sed -i '' "s|#ListenAddress ::|ListenAddress ${IP6}|g" ${JAILDIR}/etc/ssh/sshd_config fi @@ -298,5 +328,5 @@ fi # End of ARCHIVEFILE check -if [ "$STARTUP" = "YES" ] ; then +if [ "$AUTOSTART" = "YES" ] ; then touch "${JMETADIR}/autostart" fi @@ -314,5 +344,5 @@ bootstrap_pkgng "${JAILDIR}" if [ $? -ne 0 ] ; then - echo "You can manually re-try by running # warden bspkgng ${IP}" + echo "You can manually re-try by running # warden bspkgng ${JAILNAME}" fi fi @@ -332,5 +362,5 @@ # If we are auto-starting the jail, do it now -if [ "$STARTUP" = "YES" ] ; then warden start ${JAILNAME} ; fi +if [ "$AUTOSTART" = "YES" ] ; then warden start ${JAILNAME} ; fi echo "Success!" Index: src-sh/warden/scripts/backend/functions.sh =================================================================== --- src-sh/warden/scripts/backend/functions.sh (revision 60738f3411f3adc61c85518878cb329d8072e133) +++ src-sh/warden/scripts/backend/functions.sh (revision 17235d67e0eb528cffe1fd55a662fd77514f1b20) @@ -32,4 +32,11 @@ WTMP="$(grep ^WTMP: /usr/local/etc/warden.conf | cut -d' ' -f2)" export WTMP + +# FreeBSD release +FREEBSD_RELEASE="$(grep ^FREEBSD_RELEASE: /usr/local/etc/warden.conf | cut -d' ' -f2)" +if [ -z "${FREEBSD_RELEASE}" ] ; then + FREEBSD_RELEASE="$(uname -r)" +fi +export UNAME_r="${FREEBSD_RELEASE}" # Temp file for dialog responses @@ -110,7 +117,9 @@ ### Download the chroot downloadchroot() { + local CHROOT="${1}" + # XXX If this is PCBSD, pbreg get /PC-BSD/Version - SYSVER=`uname -r | cut -f1 -d'-'` - FBSD_TARBALL="fbsd-release.tbz" + SYSVER="$(echo "$(uname -r)" | cut -f1 -d'-')" + FBSD_TARBALL="fbsd-release.txz" FBSD_TARBALL_CKSUM="${FBSD_TARBALL}.md5" @@ -143,10 +152,10 @@ isDirZFS "${JDIR}" if [ $? -eq 0 ] ; then - local zfsp=`getZFSRelativePath "${WORLDCHROOT}"` + local zfsp=`getZFSRelativePath "${CHROOT}"` # Use ZFS base for cloning - echo "Creating ZFS ${WORLDCHROOT} dataset..." + echo "Creating ZFS ${CHROOT} dataset..." tank=`getZFSTank "${JDIR}"` - isDirZFS "${WORLDCHROOT}" "1" + isDirZFS "${CHROOT}" "1" if [ $? -ne 0 ] ; then zfs create -o mountpoint=/${tank}${zfsp} -p ${tank}${zfsp} @@ -154,5 +163,5 @@ fi - tar xvpf ${FBSD_TARBALL} -C ${WORLDCHROOT} 2>/dev/null + tar xvpf ${FBSD_TARBALL} -C ${CHROOT} 2>/dev/null if [ $? -ne 0 ] ; then exit_err "Failed extracting ZFS chroot environment"; fi @@ -162,5 +171,5 @@ else # Save the chroot tarball - mv ${FBSD_TARBALL} ${WORLDCHROOT} + mv ${FBSD_TARBALL} ${CHROOT} fi rm ${FBSD_TARBALL_CKSUM} @@ -695,41 +704,137 @@ } +install_pc_extractoverlay() +{ + if [ -z "${1}" ] ; then + return 1 + fi + + mkdir -p ${1}/usr/local/bin + mkdir -p ${1}/usr/local/share/pcbsd/conf + mkdir -p ${1}/usr/local/share/pcbsd/distfiles + + cp /usr/local/bin/pc-extractoverlay ${1}/usr/local/bin/ + chmod 755 ${1}/usr/local/bin/pc-extractoverlay + + cp /usr/local/share/pcbsd/conf/server-excludes \ + ${1}/usr/local/share/pcbsd/conf + cp /usr/local/share/pcbsd/distfiles/server-overlay.txz \ + ${1}/usr/local/share/pcbsd/distfiles + + return 0 +} + +make_bootstrap_pkgng_file_standard() +{ + local jaildir="${1}" + local outfile="${2}" + + local release="$(uname -r)" + local arch="$(uname -m)" + + get_mirror + local mirror="${VAL}" + +cat<<__EOF__>"${outfile}" +#!/bin/sh +tar xvf pkg.txz --exclude +MANIFEST --exclude +MTREE_DIRS 2>/dev/null +pkg add pkg.txz +rm pkg.txz + +echo "packagesite: ${mirror}/packages/${release}/${arch}" >/usr/local/etc/pkg.conf +echo "HTTP_MIRROR: http" >>/usr/local/etc/pkg.conf +echo "PUBKEY: /usr/local/etc/pkg-pubkey.cert" >>/usr/local/etc/pkg.conf +echo "PKG_CACHEDIR: /usr/local/tmp" >>/usr/local/etc/pkg.conf +pkg install -y pcbsd-utils +exit $? +__EOF__ +} + +make_bootstrap_pkgng_file_pluginjail() +{ + + local jaildir="${1}" + local outfile="${2}" + + local release="$(uname -r)" + local arch="$(uname -m)" + + get_mirror + local mirror="${VAL}" + + cp /usr/local/share/warden/pluginjail-packages "${jaildir}/pluginjail-packages" + +cat<<__EOF__>"${outfile}" +#!/bin/sh +tar xvf pkg.txz --exclude +MANIFEST --exclude +MTREE_DIRS 2>/dev/null +pkg add pkg.txz +rm pkg.txz + +mount -t devfs devfs /dev + +echo "packagesite: ${mirror}/packages/${release}/${arch}" >/usr/local/etc/pkg.conf +echo "HTTP_MIRROR: http" >>/usr/local/etc/pkg.conf +echo "PUBKEY: /usr/local/etc/pkg-pubkey.cert" >>/usr/local/etc/pkg.conf +echo "PKG_CACHEDIR: /usr/local/tmp" >>/usr/local/etc/pkg.conf +pkg install -y pcbsd-utils +__EOF__ + +echo ' +i=0 +count=`wc -l /pluginjail-packages| awk "{ print $1 }"` +for p in `cat /pluginjail-packages` +do + pkg install -y ${p} + : $(( i += 1 )) +done + +umount devfs +exit $? +' >> "${outfile}" +} + + bootstrap_pkgng() { - cd ${1} - SYSVER="$(uname -r)" + local jaildir="${1}" + local jailtype="${2}" + if [ -z "${jailtype}" ] ; then + jailtype="standard" + fi + local release="$(uname -r)" + local arch="$(uname -m)" + + local ffunc="make_bootstrap_pkgng_file_standard" + if [ "${jailtype}" = "pluginjail" ] ; then + ffunc="make_bootstrap_pkgng_file_pluginjail" + fi + + cd ${jaildir} echo "Boot-strapping pkgng" - mkdir -p ${1}/usr/local/etc - cp /usr/local/etc/pkg-pubkey.cert ${1}/usr/local/etc/ - if [ $? -ne 0 ] ; then - echo "Failed copying /usr/local/etc/pkg-pubkey.cert" - fi - - echo '#!/bin/sh - tar xvf pkg.txz --exclude +MANIFEST --exclude +MTREE_DIRS 2>/dev/null - pkg add pkg.txz - rm pkg.txz - ARCH=$(uname -m) - REL=$(uname -r) - echo "packagesite: http://ftp.pcbsd.org/pub/mirror/packages/$REL/$ARCH" >/usr/local/etc/pkg.conf - echo "PUBKEY: /usr/local/etc/pkg-pubkey.cert" >>/usr/local/etc/pkg.conf - echo "PKG_CACHEDIR: /usr/local/tmp" >>/usr/local/etc/pkg.conf - pkg install -y pcbsd-utils - exit $? -' > ${1}/bootstrap-pkgng - chmod 755 ${1}/bootstrap-pkgng + + mkdir -p ${jaildir}/usr/local/etc + pubcert="/usr/local/etc/pkg-pubkey.cert" + + cp "${pubcert}" ${jaildir}/usr/local/etc + install_pc_extractoverlay "${jaildir}" + + ${ffunc} "${jaildir}" "${jaildir}/bootstrap-pkgng" + chmod 755 "${jaildir}/bootstrap-pkgng" if [ -e "pkg.txz" ] ; then rm pkg.txz ; fi - get_file_from_mirrors "/packages/${SYSVER}/${ARCH}/Latest/pkg.txz" "pkg.txz" + get_file_from_mirrors "/packages/${release}/${arch}/Latest/pkg.txz" "pkg.txz" if [ $? -eq 0 ] ; then - chroot ${1} /bootstrap-pkgng + chroot ${jaildir} /bootstrap-pkgng if [ $? -eq 0 ] ; then - rm ${1}/bootstrap-pkgng - chroot ${1} pc-extractoverlay server --sysinit + rm -f "${jaildir}/bootstrap-pkgng" + rm -f "${jaildir}/pluginjail-packages" + chroot ${jaildir} pc-extractoverlay server --sysinit return 0 fi fi + echo "Failed boot-strapping PKGNG, most likely cause is internet connection failure." - rm ${1}/bootstrap-pkgng + rm -f "${jaildir}/bootstrap-pkgng" + rm -f "${jaildir}/pluginjail-packages" return 1 } @@ -746,4 +851,25 @@ ${jexec} ifconfig "${iface}" | grep -qw inet 2>/dev/null + return $? +} + +ipv4_address_configured() +{ + local iface="${1}" + local addr="${2}" + local jid="${3}" + local jexec= + + addr="$(echo ${addr}|cut -f1 -d'/')" + + if [ -n "${jid}" ] ; then + jexec="jexec ${jid}" + fi + + ${jexec} ifconfig "${iface}" | \ + grep -w inet | \ + awk '{ print $2 }' | \ + grep -Ew "^${addr}" >/dev/null 2>&1 + return $? } @@ -759,3 +885,86 @@ ${jexec} ifconfig "${iface}" | grep -qw inet6 2>/dev/null -} + return $? +} + +ipv6_address_configured() +{ + local iface="${1}" + local addr="${2}" + local jid="${3}" + local jexec= + + addr="$(echo ${addr}|cut -f1 -d'/')" + + if [ -n "${jid}" ] ; then + jexec="jexec ${jid}" + fi + + ${jexec} ifconfig "${iface}" | \ + grep -w inet6 | \ + awk '{ print $2 }' | \ + grep -Ew "^${addr}" >/dev/null 2>&1 + return $? +} + +get_ipfw_nat_instance() +{ + local iface="${1}" + local res=1 + + if [ -z "${iface}" ] ; then + local instance="`ipfw list|egrep '[0-9]+ nat'|awk '{ print $3 }'|tail -1`" + if [ -z "${instance}" ] ; then + instance="100" + else + : $(( instance += 100 )) + fi + echo "${instance}" + return 0 + fi + + for ni in `ipfw list|egrep '[0-9]+ nat'|awk '{ print $3 }'` + do + ipfw nat "${ni}" show config|egrep -qw "${iface}" + if [ "$?" = "0" ] ; then + echo "${ni}" + res=0 + break + fi + done + + return ${res} +} + +get_ipfw_nat_priority() +{ + local iface="${1}" + local res=1 + + if [ -z "${iface}" ] ; then + local priority="`ipfw list|egrep '[0-9]+ nat'|awk '{ print $1 }'|tail -1`" + if [ -z "${priority}" ] ; then + priority=2000 + fi + printf "%05d\n" "${priority}" + return 0 + fi + + local IFS=' +' + for rule in `ipfw list|egrep '[0-9]+ nat'` + do + local priority="`echo "${rule}"|awk '{ print $1 }'`" + local ni="`echo "${rule}"|awk '{ print $3 }'`" + + ipfw nat "${ni}" show config|egrep -qw "${iface}" + if [ "$?" = "0" ] ; then + echo "${priority}" + res=0 + break + fi + done + + return ${res} +} + Index: src-sh/warden/scripts/backend/startjail.sh =================================================================== --- src-sh/warden/scripts/backend/startjail.sh (revision 0988d23ad27d05ccab63607eec517722ccdbdba5) +++ src-sh/warden/scripts/backend/startjail.sh (revision 17235d67e0eb528cffe1fd55a662fd77514f1b20) @@ -208,5 +208,6 @@ if ! ipv4_configured "${BRIDGE}" ; then ifconfig ${BRIDGE} inet "${BRIDGEIP4}" - else + + elif ! ipv4_address_configured "${BRIDGE}" "${BRIDGEIP4}" ; then ifconfig ${BRIDGE} inet alias "${BRIDGEIP4}" fi @@ -215,5 +216,7 @@ for _ip in ${BRIDGEIPS4} do - ifconfig ${BRIDGE} inet alias "${_ip}" + if ! ipv4_address_configured "${BRIDGE}" "${_ip}" ; then + ifconfig ${BRIDGE} inet alias "${_ip}" + fi done fi @@ -222,5 +225,6 @@ if ! ipv6_configured "${BRIDGE}" ; then ifconfig ${BRIDGE} inet6 "${BRIDGEIP6}" - else + + elif ! ipv6_address_configured "${BRIDGE}" "${BRIDGEIP6}" ; then ifconfig ${BRIDGE} inet6 alias "${BRIDGEIP6}" fi @@ -229,5 +233,7 @@ for _ip in ${BRIDGEIPS6} do - ifconfig ${BRIDGE} inet6 alias "${_ip}" + if ! ipv6_address_configured "${BRIDGE}" "${_ip}" ; then + ifconfig ${BRIDGE} inet6 alias "${_ip}" + fi done fi @@ -261,5 +267,7 @@ ipv4_configured ${EPAIRB} ${JID} if [ "$?" = "0" ] ; then - jexec ${JID} ifconfig ${EPAIRB} inet alias ${ip4} + if ! ipv4_address_configured "${EPAIRB}" "${ip4}" "${JID}" ; then + jexec ${JID} ifconfig ${EPAIRB} inet alias ${ip4} + fi else jexec ${JID} ifconfig ${EPAIRB} inet ${ip4} @@ -275,5 +283,7 @@ ipv6_configured ${EPAIRB} ${JID} if [ "$?" = "0" ] ; then - jexec ${JID} ifconfig ${EPAIRB} inet6 alias ${ip6} + if ! ipv6_address_configured "${EPAIRB}" "${ip6}" "${JID}" ; then + jexec ${JID} ifconfig ${EPAIRB} inet6 alias ${ip6} + fi else jexec ${JID} ifconfig ${EPAIRB} inet6 ${ip6} @@ -316,30 +326,44 @@ # with VIMAGE. # -sysctl net.inet.ip.forwarding=1 -sysctl net.inet6.ip6.forwarding=1 - -tmp_rcconf=`mktemp /tmp/.wdn.XXXXXX` - -egrep -v '^(firewall_(enable|type)|natd_(enable|interface|flags))' \ - /etc/rc.conf >> "${tmp_rcconf}" -cat<<__EOF__>>"${tmp_rcconf}" +ip_forwarding=`sysctl -n net.inet.ip.forwarding` +if [ "${ip_forwarding}" = "0" ] ; then + sysctl net.inet.ip.forwarding=1 +fi + +ip6_forwarding=`sysctl -n net.inet6.ip6.forwarding` +if [ "${ip6_forwarding}" = "0" ] ; then + sysctl net.inet6.ip6.forwarding=1 +fi + +firewall_enable=`egrep '^firewall_enable' /etc/rc.conf|cut -f2 -d'='|sed 's|"||g'` +firewall_type=`egrep '^firewall_type' /etc/rc.conf|cut -f2 -d'='|sed 's|"||g'` + +if [ "${firewall_enable}" != "YES" -o "${firewall_type}" != "open" ] ; then + tmp_rcconf=`mktemp /tmp/.wdn.XXXXXX` + egrep -v '^firewall_(enable|type)' /etc/rc.conf >> "${tmp_rcconf}" + + cat<<__EOF__>>"${tmp_rcconf}" firewall_enable="YES" firewall_type="open" -natd_enable="YES" -natd_interface="${IFACE}" -natd_flags="-dynamic -m" __EOF__ -if [ -s "${tmp_rcconf}" ] ; then - cp /etc/rc.conf /var/tmp/rc.conf.bak - mv "${tmp_rcconf}" /etc/rc.conf - if [ "$?" != "0" ] ; then - mv /var/tmp/rc.conf.bak /etc/rc.conf - fi -fi - -ipfw list | grep -Eq '^00500 divert' 2>/dev/null -if [ "$?" != "0" ] ; then - /etc/rc.d/ipfw restart - ipfw -q add 00050 divert 8668 ip4 from any to any via ${IFACE} + + if [ -s "${tmp_rcconf}" ] ; then + cp /etc/rc.conf /var/tmp/rc.conf.bak + mv "${tmp_rcconf}" /etc/rc.conf + if [ "$?" != "0" ] ; then + mv /var/tmp/rc.conf.bak /etc/rc.conf + fi + fi + /etc/rc.d/ipfw forcerestart +fi + +instance=`get_ipfw_nat_instance "${IFACE}"` +if [ -z "${instance}" ] ; then +echo "NAT IS NULL" + priority=`get_ipfw_nat_priority` + instance=`get_ipfw_nat_instance` + + ipfw "${priority}" add nat "${instance}" all from any to any + ipfw nat "${instance}" config if "${IFACE}" reset fi