Initialization infrastruture for pf. Based on initial patches

by ian@, and much input and mangling from theo.

src/etc/rc

@@ -1,4 +1,4 @@
-#	$OpenBSD: rc,v 1.175 2001/06/27 03:34:08 hin Exp $
+#	$OpenBSD: rc,v 1.176 2001/07/01 08:38:59 kjell Exp $
 
 # System startup script run by init on autoboot
 # or after single-user.
@@ -113,6 +113,10 @@ rm -f /fastboot		# XXX (root now writeable)
 echo 'setting tty flags'
 ttyflags -a
 
+if [ "X$pf" != X"NO" ]; then
+	echo "block in all\nblock out all" | pfctl -R - -e
+fi
+
 if [ -f /etc/sysctl.conf ]; then
 (
 	# delete comments and blank lines
@@ -128,6 +132,15 @@ fi
 echo 'starting network'
 . /etc/netstart
 
+if [ "X$pf" != X"NO" ]; then
+	if [ -f ${nat_rules} ]; then
+		pfctl -N ${nat_rules}
+	fi
+	if [ -f ${pf_rules} ]; then
+		pfctl -R ${pf_rules}
+	fi
+fi
+
 mount /usr >/dev/null 2>&1
 mount /var >/dev/null 2>&1
 

src/etc/rc.conf

@@ -1,6 +1,6 @@
 #!/bin/sh -
 #
-#	$OpenBSD: rc.conf,v 1.64 2001/06/27 03:44:38 hin Exp $
+#	$OpenBSD: rc.conf,v 1.65 2001/07/01 08:38:59 kjell Exp $
 
 # set these to "NO" to turn them off.  otherwise, they're used as flags
 routed_flags=NO		# for normal use: "-q"
@@ -49,6 +49,7 @@ nfs_server=NO		# see sysctl.conf for nfs client configuration
 lockd=NO
 gated=NO
 amd=NO
+pf=YES			# Packet filter / NAT
 portmap=YES		# almost always needed
 inetd=YES		# almost always needed
 check_quotas=YES	# NO may be desirable in some YP environments
@@ -76,6 +77,8 @@ amd_master=/etc/amd/master	# AMD 'master' map
 syslogd_flags=			# add more flags, ie. "-u -a /chroot/dev/log"
 named_user=named		# Named should not run as root unless necessary
 named_chroot=/var/named		# Where to chroot named if not empty
+pf_rules=/etc/pf.conf		# Packet filter rules file
+nat_rules=/etc/nat.conf		# NAT rules file
 afs_mount_point=/afs		# Mountpoint for AFS
 afs_device=/dev/xfs0		# Device used by afsd
 afsd_flags=-z			# Flags passed to afsd