From nobody Wed Apr 09 16:51:30 2025 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZXprH1PBXz5s3Px; Wed, 09 Apr 2025 16:51:43 +0000 (UTC) (envelope-from robert.austen@willowglensystems.com) Received: from YT6PR01CU002.outbound.protection.outlook.com (mail-canadacentralazon11022098.outbound.protection.outlook.com [40.107.193.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (secp384r1) server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mail.protection.outlook.com", Issuer "DigiCert Cloud Services CA-1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZXprD6HrDz411Y; Wed, 09 Apr 2025 16:51:40 +0000 (UTC) (envelope-from robert.austen@willowglensystems.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=willowglensystems.com header.s=selector1 header.b=ioVFD8Y1; arc=pass ("microsoft.com:s=arcselector10001:i=1"); dmarc=pass (policy=reject) header.from=willowglensystems.com; spf=pass (mx1.freebsd.org: domain of robert.austen@willowglensystems.com designates 40.107.193.98 as permitted sender) smtp.mailfrom=robert.austen@willowglensystems.com ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=kalTTQDJn0MpHQ8VY6hhL5EKljf1/Y15Ctp7VLWUm6HPYuVguY6dc0stDvQfs5Ky25T2W1WUShAtW7DaSihJXcgmvLu/L2bi4IhnhpDikT/U9H247TPfxfxFdMOfiBi+pPOR/D+7eXAo/CXlwoMJxG+OtGmOJIGgNZnmGgJ06kXXksOJShc+s8WRk4a+4/GnGmYHSaIqd4Tl9Xdq/95YhlnBz/bGq7a3y5JNb2d7kcVIE/onr0c7MWesefVA0bUtl9m9bG/maGRa5I7yk1ddMQd/NljERAOuSc/Y7b1GS1sZMV8GdVGGxLzuvgXN3JgQGpcNN3XF9pMoe+tCYERB9Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WeIyrbf7hJy7zP0uy5/Kj57IQINndaasBds4F23QPtY=; b=ipfetVANbgtdb7Op5LB0+upxqhNIcf7l7mDxDgFo69KYVNPBgogebwQSqo4+hkOMe8eSofBWEZ4PcBwBNTxaQFF8dswOgwRPzB5wPnZMJ7Ah96hQFUYjq//TM5kkTm06vtLqZshOkmurUa5EGr4o6uolhdYwWBglK7hgl2XaNZ21VaCujV6/cbOymzQGVYes2pnqtNFyqO1ey9zDzugy7cMF7h0ClAfK7fSCJiRdFW06td5la4jbpedtNkBVo/j0Ae8l9z1WUD8kZl8rq/wIs+cbPCJC+hvauLlRn69dZPGiRxuI024RtMphsn0oqBW5EIVSNZRacl3n5PcCjgQFvg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=willowglensystems.com; dmarc=pass action=none header.from=willowglensystems.com; dkim=pass header.d=willowglensystems.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=willowglensystems.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WeIyrbf7hJy7zP0uy5/Kj57IQINndaasBds4F23QPtY=; b=ioVFD8Y12lgdsONq4DzPhMrZUN29aFHAsMaUx7kks9WErLtij7HtYbUuDxcqgXXIJJZTFBOt6tOpUvCycW0IEGJMKjMoKArelX0fupzmvKp+k7pGEmu/7yd92bMK/oO7kvSUM2piMl2pSoGzQE7CpqnT56dfYl1MZqmYzGb+ICU= Received: from QB1PPF4C719E46A.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c08::23a) by YQXPR01MB6252.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c01:2b::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8606.35; Wed, 9 Apr 2025 16:51:30 +0000 Received: from QB1PPF4C719E46A.CANPRD01.PROD.OUTLOOK.COM ([fe80::cd61:75c:8fac:109d]) by QB1PPF4C719E46A.CANPRD01.PROD.OUTLOOK.COM ([fe80::cd61:75c:8fac:109d%4]) with mapi id 15.20.8632.021; Wed, 9 Apr 2025 16:51:30 +0000 From: Robert Austen To: Zhenlei Huang CC: "freebsd-current@freebsd.org" , "freebsd-net@freebsd.org" , Kristof Provost , Cy Schubert Subject: Re: pfil_default_to_drop Thread-Topic: pfil_default_to_drop Thread-Index: AQHbqAfyk4Z18yjsM0yECEK2f5QGrrOYyea/gAAA4zGAADehgIAA+tGKgAD6MICAAJOZqIAABBt5 Date: Wed, 9 Apr 2025 16:51:30 +0000 Message-ID: References: <274BB159-3CB5-49E0-84E7-A3F4B81BFDC1@FreeBSD.org> In-Reply-To: Accept-Language: en-CA, en-US Content-Language: en-CA X-MS-Has-Attach: yes X-MS-TNEF-Correlator: msip_labels: x-ms-publictraffictype: Email x-ms-traffictypediagnostic: QB1PPF4C719E46A:EE_|YQXPR01MB6252:EE_ x-ms-office365-filtering-correlation-id: e0d1db34-39cf-4505-b1b8-08dd7786c6fc x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0;ARA:13230040|366016|1800799024|376014|38070700018|13003099007|4053099003|4013099003|8096899003|7053199007; x-microsoft-antispam-message-info: =?us-ascii?Q?2MtgdtbYTrDNm+KRqOsbxSzvMn58tcAc3SnOnkHW+HunoaHKzyHlQT8tZJ0V?= =?us-ascii?Q?gWFd4nEkC6a1158IoePRBUmkb9jgJ8Gxu6s0zSxjSdOLGpnEwVba5xIZakYX?= =?us-ascii?Q?K3+bht95KCsCwPs95sYocBYM0z1VbvJI3epQ6lYq+LzgjlMcUVtv3zAQowkX?= =?us-ascii?Q?JJTMt5RaVuzdsWbc2tZ3XN9R/e4Ql9ga9pB4jVuXxtqsOYQOVbZvGzJx7Wvy?= =?us-ascii?Q?FlX9SkjH7/rcSeRfadZtCqTz8N2EaNAmNABXJBIQ+1jy/1EfdkPTToMfzIqZ?= =?us-ascii?Q?nEQsESz5QWHJzyk4lEu5Bqcxz4mWq6MH8CF2UamRI/mx/LFy2b8VL8lhYszp?= =?us-ascii?Q?0NuOG9H5omeyYHf0ixjp2FXmiHXNYvrgDDRoUXuWBvQxfyQut4jhyKzdZUvB?= =?us-ascii?Q?bH9aDjn7/NZ9AOb92nENSWUTvA1UG5huat+PACTGgLI4GOnPwT1Sa+3LnUJv?= =?us-ascii?Q?xE8WUgxrJJKvlfwk+GipjkIGVGTRisO46yhuqXu13ioilSX2sJbSuHWj+fms?= =?us-ascii?Q?xzSD2UAiqRHlTuFm3BPtxJwd1dyBNsNw9Ymp/kKg6BGBUUgsVSbQHo1fXRXl?= =?us-ascii?Q?nWUJrasVBq9N+6g0onLrOhvZkXXztNTIny7Pe80aFUPjq19pIJ+3MsUdg00M?= =?us-ascii?Q?/9+9sWfDVaVnUQnllA2yWP2q03tE2NOcIpSBM2PX11daVew9tk01K+dAJfbO?= =?us-ascii?Q?h/0QLsJvWu4TJEfj7riFbyleAyLM/LGwaGbUU2D19JviSzJUZsB9gvW7yw+p?= =?us-ascii?Q?gOil+Bbr9qJQMWMSLat2xErwJEAlK+MmAsQkcMbBXH6DvqvQmpyWW8Y259rS?= =?us-ascii?Q?wKNX5TmLFLt5ATI64fZ2nkpC240JGPyZoTTWyfxQqFK4dYW89f54mcwibeGp?= =?us-ascii?Q?PEZ1fqnjFRpksqvyoTr5HdYFU3imYJIN21MDOvu1ydWNgkcbDgFf9qg82cUq?= =?us-ascii?Q?DN1cNTqRrW07ipSUl9CslvNV/9xd8pncA3MQmmw7hd6YhBEHJQfim5rxfYyj?= =?us-ascii?Q?dNEr0cwt2JF0ed69ZayOpA9svuBtrKEd0aUSyG+Kl6xil9wqbWgMgu9bpK+7?= =?us-ascii?Q?QzfPgzszhfRqaemTo25ALnlyERYV8vSdBPzFmY1Jd1wnBh8K63+FmP4AesLE?= =?us-ascii?Q?E1uYS3QmLezRyg4BBX7+wLZlP+jnJ/3UJE4TTI8jqv9nW/MUikFcaWf5osSn?= =?us-ascii?Q?qabtbIQXJ6tKaImZLFCrGbzHH5wvU1EoDQo6L6D1sI/jiGDWuzRuqF6q0tmy?= =?us-ascii?Q?K1Vw7501w1x9B0sENowVbfPvOafoEzwnrlzELr7FP+/6xY/FvoZXR9+sPz8w?= =?us-ascii?Q?nyeX3LW4JIpcegJ7utI2uh0E2Myy8YJXwHep6aOBedyE7QzRl9iAa9YGzL3M?= =?us-ascii?Q?0WMxPvYr4gp075F+tUYfBNI61t7LO9g+cUQH6Sp3lMkYsKwr78pd+vE5xHPd?= =?us-ascii?Q?e3P/tj9MSdc=3D?= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:QB1PPF4C719E46A.CANPRD01.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(38070700018)(13003099007)(4053099003)(4013099003)(8096899003)(7053199007);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?fMD8/i/PyXmoq4YOz0XipNRWinxhc/AlrQcwfLmldrxT4PcsTS4rBbsBozTD?= =?us-ascii?Q?mVt9bVSMMcj8rtIEx2yFNVrGpjEtCGWTA3+WbP/cKeQSKpbP9PddxBQs8f8m?= =?us-ascii?Q?zbJCIquBEhynl1M35PYYHhOXE/ZvmxuHIG12qMluqXcFR6gdDIrkbsapoxyM?= =?us-ascii?Q?sbdERlwZhp1UJdfJ+K67U0ZtWnEZpSyew/O/+LTnJtvxIvz+wWH3pDiZDY0k?= =?us-ascii?Q?MRS1z7Syq1CoELWorPVkWodQ32zjTF/Pk9ycvL7rS+4ReLikuSFGc9de/RHJ?= =?us-ascii?Q?plLdk4zom75dY6rQ56AIyPl7tmeIddqXzUS89N1j8oLb969WJ/t6i1pxf1jH?= =?us-ascii?Q?4DKwFUBLTJqYAXBkM3TVRMCJf9TFL0XZHEQFavg85LIQmCSIoO7kNIIgI+BB?= =?us-ascii?Q?EmG8m7+URZX0+pdebHRB+IUhdm049rI0u2lLYMZWgN8SFbJVt7rrRgyqyRMG?= =?us-ascii?Q?SSPDYLlEM3kSqjP0CeeKNv9XR4mJ80kIUuJq1o3TQBGJjWQ54oG04mZfqnm8?= =?us-ascii?Q?EOxQAjRLim6RbepDAyWIli23tGx5cs01m0H+Q7AwJYo+LTzGa4tgMWca3klc?= =?us-ascii?Q?pdgj7gRXc4xGAnZlQ8SbaoMuWzOYYDn5faHzevSChdxwfytK+fIsW5OHVi5y?= =?us-ascii?Q?OIjbdB6hWu5LEyOClaJ+WP2nAjfqsKxxane5BLkmN6SnjMA7n9wyV8T82XDO?= =?us-ascii?Q?CEFhUhOsISNGrmAlrM076/D+0gUWyQL58p4jaO46oe0N2bJr0Db1IJN8p3xb?= =?us-ascii?Q?NW5P5dHL0TGJcQY0tprP8r7XwGvNkZj4PWhJcfh4x/shGD951UpBYMEHdh53?= =?us-ascii?Q?eHgfe2W4nmi005bse8K4yuduZ3lXlIHKuiCelJQAlsGcYaB++qwW9CAcIsaF?= =?us-ascii?Q?ZWfod8oQT9ehmN7KJ/zLUm83U980hzcPfN89h+FgGnam4J36HplOf1/6kYGl?= =?us-ascii?Q?oagHMc2uP1F38JsS6/EsmfyyviFWu+I46muuuqSTcZDz4y9LKtFzg0fZz9ik?= =?us-ascii?Q?430dOfbfQrpG+dz+fBf0FndLXDOGvNmS4MhMTKGuR78bnvRcKZv+7/1UECPR?= =?us-ascii?Q?atB1val9rBBqwADpZgdvHBOsrRALVc+FipfDMHIIhJJAz+lXSRdUqvjoiUrv?= =?us-ascii?Q?vx6oxYSGZfgsNUs/NqlNV+15qRVhZCZ+wlsVCRvC9dx59wR4hyWnWnr7uAVd?= =?us-ascii?Q?JTaW2CdvAa69+2p7zB07PBve3VjKoiFcvuheXav+F84bmPA2Bqcmn3fmLM0d?= =?us-ascii?Q?JzlVjeupnQYkDPbhwPzUHl5g4S+T1hRS86b6N3YiEOxQJy+ogm92ykmhWc7o?= =?us-ascii?Q?MA32+5mQP7Cw16ASk+e0g53q34eZYA4hapSfYR4Ai3lJdZMh4suEx3Jabwx8?= =?us-ascii?Q?GmyCPmfDWAw5vp3xBp7eNOtX7oyipeutSpZrl4ahM39Ky9rKJ6OhonR6gpLc?= =?us-ascii?Q?Xpp4nEMltkw2gH6hv632K19clJLFEIYM/yf2xWCmbGf438qqqHOtQRPWgMnw?= =?us-ascii?Q?dmG9NLiDQBwZJ13tqc5aQogdPTKFo9f5PZn/xfOpssqdUb7YH9UPHbQnAVy2?= =?us-ascii?Q?ABnDkmrqI2TWTDJfdZTwOfpJXm5zwB5ade500mCm14/RtpUpMNprkqJuNAqo?= =?us-ascii?Q?OggUE9/ncEeqPylU2Xhq9Kc=3D?= Content-Type: multipart/mixed; boundary="_004_QB1PPF4C719E46AEB54DEB246C72395D15FEFB42QB1PPF4C719E46A_" List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@FreeBSD.org MIME-Version: 1.0 X-OriginatorOrg: willowglensystems.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: QB1PPF4C719E46A.CANPRD01.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-Network-Message-Id: e0d1db34-39cf-4505-b1b8-08dd7786c6fc X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Apr 2025 16:51:30.3707 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: c7bca0fa-9d0c-460d-8770-da688c84194e X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: hrASBrg8O4FDYCNEuSGB82lwWIgTVvvy4rptFOMKwP3TVuUo9Z6KBiSu2sat/Ka3Cm1XqI/9c1X1HBR6MrqMiR0lk7ngRUrONbeEpXo+KbxRPoqijEwOWKIX848vWR7K X-MS-Exchange-Transport-CrossTenantHeadersStamped: YQXPR01MB6252 X-Spamd-Result: default: False [0.60 / 15.00]; SUSPICIOUS_URL_IN_SUSPICIOUS_MESSAGE(1.00)[]; RBL_SENDERSCORE_REPUT_6(1.00)[40.107.193.98:from]; NEURAL_HAM_MEDIUM(-1.00)[-0.996]; NEURAL_HAM_LONG(-0.39)[-0.390]; BAD_REP_POLICIES(0.10)[]; MIME_GOOD(-0.10)[multipart/mixed,multipart/alternative,text/plain]; NEURAL_HAM_SHORT(-0.02)[-0.015]; FROM_HAS_DN(0.00)[]; HAS_ATTACHMENT(0.00)[]; DMARC_POLICY_ALLOW(0.00)[willowglensystems.com,reject]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_DKIM_ALLOW(0.00)[willowglensystems.com:s=selector1]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~,4:~]; TO_DN_SOME(0.00)[]; DKIM_TRACE(0.00)[willowglensystems.com:+]; MISSING_XM_UA(0.00)[]; ASN(0.00)[asn:8075, ipnet:40.104.0.0/14, country:US]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org,freebsd-net@freebsd.org]; RCVD_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[40.107.193.98:from]; RWL_MAILSPIKE_POSSIBLE(0.00)[40.107.193.98:from]; R_SPF_ALLOW(0.00)[+ip4:40.107.0.0/16]; REDIRECTOR_URL(0.00)[aka.ms]; ARC_ALLOW(0.00)[microsoft.com:s=arcselector10001:i=1]; RCPT_COUNT_FIVE(0.00)[5] X-Rspamd-Queue-Id: 4ZXprD6HrDz411Y X-Spamd-Bar: / --_004_QB1PPF4C719E46AEB54DEB246C72395D15FEFB42QB1PPF4C719E46A_ Content-Type: multipart/alternative; boundary="_000_QB1PPF4C719E46AEB54DEB246C72395D15FEFB42QB1PPF4C719E46A_" --_000_QB1PPF4C719E46AEB54DEB246C72395D15FEFB42QB1PPF4C719E46A_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable ________________________________ From: owner-freebsd-current@FreeBSD.org = on behalf of Robert Austen Sent: April 9, 2025 10:44 AM To: Zhenlei Huang Cc: freebsd-current@freebsd.org ; freebsd-net@= freebsd.org ; Kristof Provost ; Cy= Schubert Subject: Re: pfil_default_to_drop You don't often get email from robert.austen@willowglensystems.com. Learn w= hy this is important "Maybe we also want a loader tunable to enable pf(4) on load" Seems a complicated way to do a simple thing. imho. Did you happen to look at my tiny patch? There are already a bunch of macros (PFIL_HOOKED_IN, PFIL_HOOKED_OUT) defi= ned depending on the inclusion of INET v4 or 6. I just cloned them as ... _UNHOOKED_ ..., and made them the NOT of the HOOK= ED_ one, or FALSE when INET v4 or 6 is excluded or if PFIL_DEFAULT_TO_DROP isn't defined. Then whereever the existing PFIL_HOOKED_IN/OUT_46 macros are used, prior to= calling the filter hook, I just inserted a PFIL_UNHOOKED_IN/OUT_46 check, and a 'goto drop' instead of the = 'goto passin/out' for the 7 occurances in if_gateway and the 3 in the NETINET code (ip_input, ip_output, ip_fastfw= d) and the 4 in the NETINET6 code (same as netinet4 plus ip6_foward). easy peasy. I spend 10x more time messing with the kernel Makefile + CONF structure tha= n with my changes lol. ________________________________ From: Zhenlei Huang Sent: April 9, 2025 1:48 AM To: Robert Austen Cc: freebsd-current@freebsd.org ; freebsd-net@= freebsd.org ; Kristof Provost ; Cy= Schubert Subject: Re: pfil_default_to_drop You don't often get email from zlei@freebsd.org. Learn why this is importan= t On Apr 9, 2025, at 1:01 AM, Robert Austen > wrote: I respectfully disagree. PF_DEFAULT_TO_DROP has no effect if pfctl does not perform its ioctl call t= o enable itself, ie. to apply any hooks. if pfctl fails, then the hooks are left unhooked, and EVERYTHING defaults t= o PASS, which is not what most people would intend using PF_DEFAULT_TO_DROP= . Ahh, I see your problem. Yes, you're right. pf(4) requires ioctl ( DIOCSTAR= T ) or netlink command to enable it. @Kristof Maybe we also want a loader tunable to enable pf(4) on load ? consider this: until pf or ipf or ipfw makes an ioctl to hook themselves, t= he pfil layer in the kernel has no idea what the filter will be, assuming there even is one. thus PF_DEFAULT_TO_DROP has zero effect (and l= ikewise the equivalents from the other filters). As for ipfw(4), by default it enables filtering on load, unless you disable= it via loader tunable `net.inet.ip.fw.enable`, `net.inet6.ip6.fw.enable` a= nd `net.link.ether.ipfw`. The compile option IPFIREWALL_DEFAULT_TO_ACCEPT or loader tunable `net.inet= .ip.fw.default_to_accept` controls the default behavior to drop or accept. See also https://cgit.freebsd.org/src/commit/?id=3D5f17ebf94db5ebbc7fdcff60= e598498df6f9e2bd . as I said, this is because there's no mechanism within PFIL to drop by defa= ult, which is why I proposed (and am using on my system) the PFIL_DEFAULT_T= O_DROP, because it handles ALL of the 'no filter installed (yet)' cases. if PFIL_DE= FAULT_TO_DROP isn't in the kernel config file, my patches have no effect at= all, so it's a simple mechanism for those that want more than PF_DEFAULT_TO_DROP= can ever provide. It appears ipf(4) unconditionally enable filtering on load, and does not ha= ve any tunables to control that. CC @Cy who is more familiar with ipf(4). thanks! ________________________________ From: Zhenlei Huang > Sent: April 7, 2025 7:55 PM To: Robert Austen > Cc: freebsd-current@freebsd.org >; freebsd-net@fre= ebsd.org >; Kristof Provost > Subject: Re: pfil_default_to_drop You don't often get email from zlei@freebsd.org. L= earn why this is important On Apr 8, 2025, at 6:36 AM, Robert Austen > wrote: ________________________________ From: Robert Austen > Sent: April 7, 2025 4:33 PM To: freebsd-current@freebsd.org >; freebsd-net@fre= ebsd.org > Subject: Fw: pfil_default_to_drop ________________________________ From: Robert Austen Sent: April 7, 2025 4:21 PM To: freebsd-current@freebsd.org > Subject: pfil_default_to_drop Hello, I've been playing with FreeBSD and PF to build myself a new firewall, as Op= en/FreeBSD + PF seems to be a common starting point. I've noticed a number of people asking questions about PF_DEFAULT_TO_DROP a= nd the like, with the observations that it's hard to ensure that packets all default to drop if the rule file(s) for whatever= reason fail to load. Hi Robert, So why not defining the compile option PF_DEFAULT_TO_DROP, and preload pf.k= o ( via the loader(8), /boot/loader.conf ) ? With 13.5, or upcoming 14.3 ( you can also experiment latest stable/14 ), y= ou can turn the loader tunable net.pf.default_to_drop to 1, and preload pf.= ko. See also https://cgit.freebsd.org/src/commit/?id=3Dc531c1d1462c45f7ce5de4f9= 913226801f3073bd . After looking thru the online documentation, forums and scripts, I came to = the conclusion that it's not a PF problem or IPFW etc or really a problem with any of the filters or scripts, the problem is at t= he level of PFIL, the kernel packet filtering code: If no filter is loaded, i.e. if the heads are unhooked, then PFIL sends everythin= g thru to its destination. So my thought was to add an option PFIL_DEFAULT_TO_DROP (in essence a PFIL version of PF_= DEFAULT_TO_DROP) that drops all the IPv4 and IPv6 packets that would otherwise go thru the yet-to-be-loaded cho= sen filter (PF or whatever) at any given time the hooks are unhooked. If no firewalls loaded, then the system should behave as is. I do not think= PFIL_DEFAULT_TO_DROP is the right way to handle your case. [No one filters on local loopback nor the link layer, so I've left those ho= oks untouched. I suppose one could add them, maybe PFIL_DEFAULT_LOCAL_TO_DROP or PFIL_DEFAULT_LINK_TO_DROP, but I doubt = there's much demand for it.] Normally I'm an embedded linux kernel basher. I'm not entirely sure where to send this patch. Most of the threads asking = the above PF questions are closed to changes, so that doesn't seem a good place. Sir Dice seems to be a common answerer o= f questions; I would have sent it to him/her if I could... I'm not a user of GIT, so I'm not sure how to submit a "GIT formatted patch= "... I've simply diff -rdpNU 5 a copy of the @old folder with a copy of @new fol= der. The code was written against FreeBSD-14.1-RELEASE-amd64, but I suspect the kernel code in the networking core doesn't change much fr= om platform to platform, or version to version. But it works, it's pretty simple, pretty small and so just in case it might= be useful, I'm passing it along. thanks! Robert --_000_QB1PPF4C719E46AEB54DEB246C72395D15FEFB42QB1PPF4C719E46A_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

From: owner-freebsd-current= @FreeBSD.org <owner-freebsd-current@FreeBSD.org> on behalf of Robert = Austen <robert.austen@willowglensystems.com>
Sent: April 9, 2025 10:44 AM
To: Zhenlei Huang <zlei@FreeBSD.org>
Cc: freebsd-current@freebsd.org <freebsd-current@freebsd.org>;= freebsd-net@freebsd.org <freebsd-net@freebsd.org>; Kristof Provost &= lt;kp@FreeBSD.org>; Cy Schubert <cy@freebsd.org>
Subject: Re: pfil_default_to_drop
 
You don't often get email from robert.austen@willowglensystems.com. Learn why this is important
"Maybe we also want a loader tunable to enable pf(4) on load"

Seems a complicated way to do a simple thing. imho.

Did you happen to look at my tiny patch?
There are already a bunch of macros  (PFIL_HOOKED_IN, PFIL_HOOKED_OUT)= defined depending on the inclusion of INET v4 or 6.
I just cloned them as ... _UNHOOKED_ ..., and made them the NOT of the H= OOKED_ one, or FALSE when INET v4 or 6 is excluded 
or if PFIL_DEFAULT_TO_DROP isn't defined. 

Then whereever the existing PFIL_HOOKED_IN/OUT_46 macros are used, prior to= calling the filter hook, I just
inserted a PFIL_UNHOOKED_IN/OUT_46 check, and a 'goto drop' instead of the = 'goto passin/out' for the 7 occurances
in if_gateway and the 3 in the NETINET code (ip_input, ip_output, ip_fastfw= d) and the 4 in the NETINET6 code (same as netinet4 plus  ip6_foward).=

easy peasy.
I spend 10x more time messing with the kernel Makefile + CONF structure tha= n with my changes lol.


From: Zhenlei Huang <z= lei@FreeBSD.org>
Sent: April 9, 2025 1:48 AM
To: Robert Austen <robert.austen@willowglensystems.com>
Cc: freebsd-current@freebsd.org <freebsd-current@freebsd.org>;= freebsd-net@freebsd.org <freebsd-net@freebsd.org>; Kristof Provost &= lt;kp@FreeBSD.org>; Cy Schubert <cy@freebsd.org>
Subject: Re: pfil_default_to_drop
 
You don't often get email from zlei@freebsd.org. Learn why this is important


On Apr 9, 2025, at 1:01 AM, Robert Austen <robert.austen@willowgl= ensystems.com> wrote:

I respectfully disagree.

PF_DEFAULT_TO_DROP has no effect if pfctl does not perform its ioctl call t= o enable itself, ie. to apply any hooks.
if pfctl fails, then the hooks are left unhooked, and EVERYTHING defaults t= o PASS, which is not what most people would intend using PF_DEFAULT_TO_DROP= .

Ahh, I see your problem. Yes, you're right. pf(4) requires ioctl (&nbs= p;DIOCSTART ) or netlink command to enable it.

@Kristof Maybe we also want a loader tunable to enable pf(4) on load ?=


consider this: until pf or ipf or ipfw makes an ioctl to hook themselves, t= he pfil layer in the kernel has no idea what the filter will be,
assuming there even is one. thus PF_DEFAULT_TO_DROP  has zero effect (= and likewise the equivalents from the other filters).

As for ipfw(4), by default it enables filtering on load, unless you di= sable it via loader tunable `net.inet.ip.fw.enable`, `net.inet6.ip6.fw.enab= le` and `net.link.ether.ipfw`.

The compile option IPFIREWALL_DEFAULT_TO_ACCEPT or loader tunable= `net.inet.ip.fw.default_to_accept` controls the default behavior to drop o= r accept.


as I said, this is because there's no mechanism within PFIL to drop by defa= ult, which is why I proposed (and am using on my system) the PFIL_DEFAULT_T= O_DROP,
because it handles ALL of the 'no filter installed (yet)' cases. if PFIL_DE= FAULT_TO_DROP isn't in the kernel config file, my patches have no effect at= all,
so it's a simple mechanism for those that want more than PF_DEFAULT_TO_DROP= can ever provide.

It appears ipf(4) unconditionally enable filtering on load, and does n= ot have any tunables to control that. CC @Cy who is more familiar with ipf(= 4).


thanks!
From: Z= henlei Huang <zlei@FreeBS= D.org>
Sent: April 7, 2025 7:55 PM
To: Robert Austen <robert.austen@willowglensystems.com>
Cc: freebsd-current@= freebsd.org <<= a href=3D"mailto:freebsd-current@freebsd.org" class=3D"">freebsd-current@fr= eebsd.org>; freebsd-net@freebsd.org=  <freebsd-net@freebsd.org>; Kristof Provost <kp@FreeBS= D.org>
Subject: <= /span>Re: pfil_default_to_drop
 
You don't often get email from&nb= sp;zlei@freebsd.org. Learn why this is important


On Apr 8, 2025, at 6:36 AM, Robert Austen <robert.austen@willowgl= ensystems.com> wrote:




<= b class=3D"">From: Robert Austen
Sent: April 7, 2025 4:21 PM
To: freebsd-current@freebsd.org <freebsd-current@freebsd.org>
Subject: pfil_default_to_drop
 
Hello,
I've been playing with FreeBSD and PF to build myself a new firewall, as Op= en/FreeBSD + PF seems to be a common starting point.

I've noticed a number of people asking questions about PF_DEFAULT_TO_DROP a= nd the like, with the observations that it's hard
to ensure that packets all default to drop if the rule file(s) for whatever= reason fail to load. 

Hi Robert,

So why not defining the compile option PF_DEFAULT_TO_D= ROP, and preload pf.ko ( via the loader(8)= , /boot/loader.conf ) ?

With 13.5, or upcoming 14.3 ( you can also=  experiment latest stable/14 ), you can turn the loader = tunable net.pf.default_to_drop to 1, and preload pf.ko.
See also https://cgit.f= reebsd.org/src/commit/?id=3Dc531c1d1462c45f7ce5de4f9913226801f3073bd&nb= sp;.


After looking thru the online documentation, forums and scripts, I came to = the conclusion that it's not a PF problem or IPFW etc
or really a problem with any of the filters or scripts, the problem is at t= he level of PFIL, the kernel packet filtering code: If no
filter is loaded, i.e. if the heads are unhooked, then PFIL sends everything=  thru to its destination. So my thought 
was to add an option PFIL_DEFAULT_TO_DROP (in essence a PFIL version of PF_= DEFAULT_TO_DROP) that drops all the
IPv4 and IPv6 packets that would otherwise go thru the yet-to-be-loaded cho= sen filter (PF or whatever) at any given time the 
hooks are  unhooked. 

If no firewalls loaded, then the system should behave as is= . I do not think PFIL_DEFAULT_TO_DROP is the right way to handle your = case.


[No one filters on local loopback nor the link layer, so I've left those ho= oks untouched. I suppose one could add them,
maybe PFIL_DEFAULT_LOCAL_TO_DROP or PFIL_DEFAULT_LINK_TO_DROP, but I doubt = there's much demand for it.]

Normally I'm an embedded linux kernel basher.
I'm not entirely sure where to send this patch. Most of the threads asking = the above PF questions are closed to changes,
so that doesn't seem a good place. Sir Dice seems to be a common answerer o= f questions; I would have sent it to him/her 
if I could...

I'm not a user of GIT, so I'm not sure how to submit a "GIT formatted = patch"...
I've simply diff -rdpNU 5 a copy of the @old folder with a copy of @new fol= der. The code was written against FreeBSD-14.1-RELEASE-amd64,
but I suspect the kernel code in the networking core doesn't change much fr= om platform to platform, or version to version.

But it works, it's pretty simple, pretty small and so just in case it might= be useful, I'm passing it along.

thanks!


Robert




<= FreeBSD-14.1-RELEASE-amd64-pfil_default_to_drop.patch.zip>



--_000_QB1PPF4C719E46AEB54DEB246C72395D15FEFB42QB1PPF4C719E46A_-- --_004_QB1PPF4C719E46AEB54DEB246C72395D15FEFB42QB1PPF4C719E46A_ Content-Type: application/x-zip-compressed; name="FreeBSD-14.1-RELEASE-amd64-pfil_default_to_drop.patch.zip" Content-Description: FreeBSD-14.1-RELEASE-amd64-pfil_default_to_drop.patch.zip Content-Disposition: attachment; filename="FreeBSD-14.1-RELEASE-amd64-pfil_default_to_drop.patch.zip"; size=3358; creation-date="Wed, 09 Apr 2025 16:51:18 GMT"; modification-date="Wed, 09 Apr 2025 16:51:30 GMT" Content-Transfer-Encoding: base64 UEsDBBQAAAAIADhWiVoW/xswLgwAAC4yAAA1AAAARnJlZUJTRC0xNC4xLVJFTEVBU0UtYW1kNjQt cGZpbF9kZWZhdWx0X3RvX2Ryb3AucGF0Y2jdWm1v4kYQ/sxJ9x/2elIEIRBswISkiUoSuNAjgALp mypZxizYOmO7Xrtp2l5/e2df/AI2YNJcVfV0Abw7O7v77DwzO7uem4sFqnhzd/iImugbx5qfBsQ7 JZ5+Sp7Jqe7Yi9PhaNqdoG9s/LSl7u2bSqWyq3FBrsnNSq1RqbWQ1Dxv1M5lpdqQm5LUPqvVUKWm 1Gpv35TLZdZLHiWN82b9XFKqcqMhNRsJJd98gypSrdY4kWqozH/ICArn+FdTx4XC0/LtG/QeuZr+ CfsEPZm+4QQ+8p1AN0x7iXwDo+l0UKoiNDVMgnTNRjOMAoIXgQViyDDnGC1MDz9plkWYsoXnrJDv aTr2QBdGmj1HxFyZluZBC8ciVSrGRMc99bbb6zwOpup0pN4+jMbQAygntGMY5EILLB+5i2KjhLzA wtAeSu1nhH/F3rNPhyiUlamy/iCfOtNC8OdjL1tfmQ9uejMe33TGCNvazAIdugNTfTJM3UCfMHa5 UksjPrIjAAm2fTZhD+vY/BXPmSbHRhpVh4hDxaL50zL1etC5+Xg9+iHsB74NzdbxnNbCwKhGy1ku w7mGiyqfiUWt104kiS6q4/qmYxNU6FMopt2HQuG96YqZksB1Hc8HDSkxdTD6kBANe9siOvr4OE5K u3RJs2TDtYAZjm4+Ft7PLJg9AjOJ0Jo9h4uy3n4y7XYG0zvoRYwaLRyYgY81yzfo7yfNm2+MMG1K hfdzz3ETS7vWXzlqSYd7WNu4V2Ej60Xxmm6W390BfMnCh9HjtKvejzvTOyh++yaPAxKNmXPYWhs7 oa0iW9xQC9xQO48bEmq2OKJ22hE1WjIzWfgWFnt//dhTxw8jWIH+8MPbN7xgMn3oTiYqOLkpLaIY QW2hAB2qK+pTKBUMqBr2JtS0bunP7hRUfCxwqaXlzDSLyaTtgkm4C1pbjtY+XW/y9okV4rqZU4ur pp3rQXeyWdXrX6udwYdRqskERHkZIaxkMuiP1X6vp47GU6GGWKZbNfYag439Uz7MeIHSdcwQdjXe MIP62bncADM4kxpyLW0GeZSERiDJNBq1NqJRu3bSQmX6JZ1RGyC+F+g+YoirBtbm6A+ApWDafoE+ qbbhOJ8IIHgBxZ/px3sgomljTlzKqO6t2h8W3RIqFotpdcclqCpVrhLaTBtdoVppiy5Y1kOUwdBC bYDT6TF8oGN0r+meQ1iIhHgAoYu4WDcXpg4O8JmFDm1GMPh55CwgYjyLiERY61MahMwFjC3TO0Ht 2rgfh+sovEshU0o32Zjsuw0EwkbYInhPf73OYNLd00EshG2wa/gBcPHf6PQYqR+7D8PuAGa+Xgy0 VvnAVKjLRQlzoc48c77EVZ1Z7C4BRo69arIZ0pAlYEkOhiQ05adJq8VcJXwxTwmocGwoPKatWwHs Rb5mrhhAB09ylaz4inoRE/quGl9lliusohxXxC7vq6xOXM3TVnEncQXbnnAD97LqV7NgkVkOLHB0 qBFOoSk2M832Sb3F55sg5wbT1YZSKG4U9cFSFPTnnyijPMnzTaLHuuKyWFlWRYmP7ZV5jlifCRKF LNqYYpqA3/EVjX1UaauWeHLp8rSeiP45RrXQQC5Pv0IwdgPrCOztatv8D5r+1tm/ZPJ5556eem4n H2pcZ8A7lKLF7rlvtIpL8022kWuZG9lrfHrMXBiamL9TJjBi8PTQ0IiBfJr6QJJ5HxCfJpgapBVP 2GOST041cn+Al01t5fqhf/uhqz5M7zqTO3XS/6mb4Hi6slCAfKkRhRbudGSpqTCvI0tnkBc36GaE O2p1HqxWz2AP4QaAujF0vDoJNysm3aEUIEYVeQNmN8UjKqBXroiumgv3BNEPhjYFpoTeXfJNAmwA PewHnn0RaVmhy0s0fBwM0vWfAbwCXRtEBbPwLqE/qExhpS48jFfFVemCPsdKylQJosrEaLH9S4AD XCS6GCRrgj6Hnk3g02g2OD6NMwCqnsBHpGACnrCUOAtfR8dU6xZ8RHfEowgJbPrDLwFNf5hAZumA e6YJ3RoYtNGc+DCSqAu+9QxhmnmONtchwQeg4kHDJCQG1/pYQszOhE01ZelVMeMj/TftKUJttwmF QwutKNEZ/KftzwU2ypnEsWlJ7XW+mbYbhGSDcQHz0DGbdcg/qjcTHDZLDhEI/MzlEPxbsy0ay1eJ VY4kxWBRkVVcFGIdn+FPPNGH6KlciNH7jscLy4Fgr7rGM0FHRyjbDsO2azQNVW4dSDnRdbS4RXMB Z2tsYjOYdylRXehO7+Dg5RqS3vtpZ8wl2cIIkbgfXiaKWS/xU/QgFq7VEo7gTFLEwm1SZJtZ53KU dM6vbdleYNOdFl2Rf+g0bz6qg/5kqvZGD93OzV1xPqPGfhRNwDKJf0KXQrXxb37oQ0LPgqh45Qo+ 6FyjicSeRzgWMR84WYHjjQBfCOjPZEVA35JfAn0G9joHfI9LiUcS61npIfqZQnwFDl6CzTVYW4Ro FXY6Hr3ELSB06wGB49NLMZm1DvKkkCbL2lx1AeAunuYij9wrxZLJfAqzM0q4AGjU6/szyp3q4iM4 OeMITuHWBF9xWonuaVpCs7hPNI+BR9+H035npRG6/xpi/3pyy05gZxoxdeGTA4/t4+gwLOepqvOT ca7QJLCHg0M6aGRBJayFgT1czZPEZuek6STWFafBhyas8OdnVnzCno2tKCOtizuTeq3Jr0zoTH3v WUTxjY0hMzMHlqhKVG0+99AliFeuoElcdiEM+fSYfgJKD4ENqMMmeGkg6kMonNGpOjtZYqCz2Bge mdOmPG1kdr4/GSpthHLOkPC4Z3dDxBtC34SYzMeGrZkYnTu0SjU9QdS/rypXK9X95Btzr+rpvwJN 2djhH4/B7y65Uxh3JpOSwLytcMzbbY656Pmc7Sr8OSZ+jG/8lEZ24mMXNc8R5BdLB+wwuqASMCLX c3RMVS83AM2RGOZCFFruhRRGl40pVGwB1TYqV7ZBA8kuNA/xccy6hIfbKZPHvzHBrd5NBu/WyO/d mLJtvq2ecc9ZF4xtcN+W/6Rs5ji+C44k/xFa6H22VGIdKnL7MpYGZ1YQklVMdN/d6/aYs5c4Iook fBi9fiUG3KedC6LAP3qxNexMERDEM+nNCr3r/d7A1DeBHzc018U2OUE+tqxEK9MNExp2h+rwhN5c Gj7i16iCWBE10bfBykUOXKjRK0BmrQkawn5BuDwN4ortwCWq7sP9afWlzm6mzV/B1zmww4h9OTxc HOABKUsjeh7CSbCH/aQEoZysBMldtKwfRkvQdigvZc5L+fWPsg+lGg3yqm9l0YovJoR1MEjVh+CS yUgNaACvMvgv4jHjZLvOOdkOX8Ug9EiKM9J0wdhWvjMvxkdNUHbMd7eGhe3YGA0Lff01ki/W7kvg 6rx78yVZB3EtN+32x0ORKhF47QReqihG1rVx9LGwtCWB3zY/BgF2LcyZHaxYDGRB8Ah7nuNFCnUN MhDpnCLSM22TGHjOQSmEgduxce5UQAGzV3IkA0wubzqwJryNm0pDghd68nEzrTBNzxqjZ3OdnnJ4 yJdMCaZ3/QmajHrT7zsP3RPU/a47RP0e6tx+1590b9GoBxJdNB5NJv1ruLuf/kiLJo83d+i2c9/5 0M211z/8YupLJwHUByQupdr8UkqpRSmAsicHAPOsArOUOAtQKle0GVSktql9W3dWQEOxK413qTFD q/k2/Mr2/alp74mDyq5AuCveKZsBj23z45AndqhrG1O0NrJDKchwz0FBJpeXgkx4OwVbQEH5IAoy hdsp2KYUfKWd6/473qyIuZ9LOQmYayeam3vrV8J1qclBkRTBPm2piVxQOHPKM93Cmkd0x8XFo4hs sC6li2yJmI6li38hSir7w+Rm3riflsnd6aaPYRPKPluIjxSEieJ5eKxQzflyRWTle/NGJpUvc0yI bmVh89BAyNQdEgYVkSsJDh4cuV5Iw5xM27u3fAkz2Xsm4jXSlhyeuUTopeJbnP0VcXVZzZk5xs1Y Dkn1/1dSx0PZmT9mbqHnQeE0fYJ2GEX3ppFMLGciGcnuYqlyaKwEff8rmob55evnjtn8Dt8Fl/jF KvyQBYttxzYUC2gRuOfMQJk1sUwKHV2iv+7pm9zjC5oi/fDDD2F2lDI5xK97+O3KFyPkF46X9KD1 n4ZMbqnr8fJvUEsBAj8AFAAAAAgAOFaJWhb/GzAuDAAALjIAADUAJAAAAAAAAAAgAAAAAAAAAEZy ZWVCU0QtMTQuMS1SRUxFQVNFLWFtZDY0LXBmaWxfZGVmYXVsdF90b19kcm9wLnBhdGNoCgAgAAAA AAABABgAMjfvZm+p2wH5SqcBBqjbAflKpwEGqNsBUEsFBgAAAAABAAEAhwAAAIEMAAAAAA== --_004_QB1PPF4C719E46AEB54DEB246C72395D15FEFB42QB1PPF4C719E46A_--