From nobody Mon Jan 24 22:55:02 2022
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 218F41972F00;
	Mon, 24 Jan 2022 22:55:03 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4JjQKy6Z0kz4TWk;
	Mon, 24 Jan 2022 22:55:02 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1643064903;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=+34ePlEcV4x3kX7porVAez/kV1lkUYF9+u4kt1ySIoI=;
	b=lF6yALVahgHZ/LY+cbj5IakKS5U9Otmw2WSysAPYzF7th8+bhhSnd/GKJSAF5B2Ju9heYK
	Zctme1H5F7qauVYclrqNwbHyJXveM+0R/anF0VLdqXYPC+5aH+/ENH/Zbos8zdTPP246/L
	gmQJvfzALy0LX0A7nwo93B/tLnzcgnl2fAXg+l3AoJhXcwGphToh3avuOMuFwIuWhILsCw
	sQNImi4oQ+9hBhlrMhzIRlffy3rljcpiL62xgwN/uf6gYx4OYB1ouAsbnnjc4ARhAJU41k
	w1+PbkhGtRyyfbQyYndlBbHhSA9XTuP3NCG2QyaBnvTxQqqGX4Z0u3zktrv5dg==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id B5C3B1E90C;
	Mon, 24 Jan 2022 22:55:02 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 20OMt2x5028654;
	Mon, 24 Jan 2022 22:55:02 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 20OMt2kO028653;
	Mon, 24 Jan 2022 22:55:02 GMT
	(envelope-from git)
Date: Mon, 24 Jan 2022 22:55:02 GMT
Message-Id: <202201242255.20OMt2kO028653@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: fae2a8cad398 - stable/13 - pf: fallback if $pf_rules fails to load
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: fae2a8cad398518c473f67fc210206c6dac02610
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1643064903;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=+34ePlEcV4x3kX7porVAez/kV1lkUYF9+u4kt1ySIoI=;
	b=S7Af9rRgGfkEjhnmrGySjCjRSKBTHH+aJ0S/w05XafEx+qeEfSyqdsMZ8wh3hvNw57ELXm
	f2PNtRhzByyFP+MgvGGveQTKbzoV48eDvD7/wLVaPkd5QgNtArk2In08HrdEDzvHioVDJo
	sZjbUgdilaaMlu73RaNRV3XOMTqy5oi6KrTRqbvl1nl94FdI6dfS+CyRKj+P1FBXEerC56
	25CerVR4ZYILoTVTc3eFOAbZVeLS/jNDbz1jr1Q0ldIMH9A7WMDwBNy9hI8ndvmK8wXeBQ
	4jPqyn8gqkTcikv9+8bjjFVcZrzzwawaQsWzWcZb3yz7/F78tvo/aMW0BussJw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1643064903; a=rsa-sha256; cv=none;
	b=fnj8OVyh66MBZScGvKE9FaXmunEUVRhi0Ly09RYIjy5cigXEzEz0fjiCO54XEr2f3WIbDY
	uF4U7h0AGEcGiXJhJIm4qhgGddhJ/ePpDgrwxlssiu55K77nAE/dfiAN7fFEat8SGqLYLO
	O/WtDe/9rurIedxfsuAKbr51Z39L/s7CMOMaMXMCMz6SbBeOhRJTY1eV8/vEgnpbYi2ahf
	g0VHdIwFILjWMldWpf2eTAtq+DqC9YEP6e44P5eXur1YKqSVOQCiZgjg/zzi7HCf7ZbI7a
	T1X/zKIrarZH3ShxI/UhQ/NQp0ttmnBFv+u6Dez3hTfUmHOl5OMthVLXMMcnfQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

The branch stable/13 has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=fae2a8cad398518c473f67fc210206c6dac02610

commit fae2a8cad398518c473f67fc210206c6dac02610
Author:     Thomas Steen Rasmussen <thomas@gibfest.dk>
AuthorDate: 2021-06-16 18:29:06 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2022-01-24 20:11:02 +0000

    pf: fallback if $pf_rules fails to load
    
    Support loading a default pf ruleset in case of invalid pf.conf.
    
    If no pf rules are loaded pf will pass/allow all traffic, assuming the
    kernel is compiled without PF_DEFAULT_TO_DROP, as is the case in
    GENERIC.
    
    In other words: if there's a typo in the main pf_rules we would allow
    all traffic. The new default rules minimise the impact of this.
    
    If $pf_program (i.e. pfctl) fails to set $pf_fules and
    $pf_fallback_rules_enable is YES we will load $pf_fallback_rules_file if
    set, or $pf_fallback_rules.
    
    $pf_fallback_rules can include multiple rules, for example to permit
    traffic on a management interface.
    
    $pf_fallback_rules_enable defaults to "NO", preserving historic behaviour.
    
    man page changes by ceri@.
    
    PR:             256410
    Reviewed by:    donner, kp
    Sponsored by:   semaphor.dk
    Differential Revision:  https://reviews.freebsd.org/D30791
    
    (cherry picked from commit 28f47a199cfd8749ab30a0327b0a3f8977ec2b43)
---
 libexec/rc/rc.conf       |  5 +++++
 libexec/rc/rc.d/pf       | 19 ++++++++++++++++++-
 share/man/man5/rc.conf.5 | 36 ++++++++++++++++++++++++++++++++++++
 3 files changed, 59 insertions(+), 1 deletion(-)

diff --git a/libexec/rc/rc.conf b/libexec/rc/rc.conf
index 58865aae7753..c6f1a4d2b9c4 100644
--- a/libexec/rc/rc.conf
+++ b/libexec/rc/rc.conf
@@ -224,6 +224,11 @@ pf_rules="/etc/pf.conf"		# rules definition file for pf (nonexistent
 				# by default)
 pf_program="/sbin/pfctl"	# where the pfctl program lives
 pf_flags=""			# additional flags for pfctl
+pf_fallback_rules_enable="NO"	# fallback if loading ruleset fails
+pf_fallback_rules="block drop log all"	# rules to load on pf ruleset failure
+#pf_fallback_rules="block drop log all
+#pass quick on em4"		# multi-rule
+pf_fallback_rules_file="/etc/pf-fallback.conf"	# rules file on ruleset failure
 pflog_enable="NO"		# Set to YES to enable packet filter logging
 pflog_logfile="/var/log/pflog"	# where pflogd should store the logfile
 pflog_program="/sbin/pflogd"	# where the pflogd program lives
diff --git a/libexec/rc/rc.d/pf b/libexec/rc/rc.d/pf
index 1f7394007667..fa1b49643cc5 100755
--- a/libexec/rc/rc.d/pf
+++ b/libexec/rc/rc.d/pf
@@ -23,11 +23,28 @@ extra_commands="check reload resync"
 required_files="$pf_rules"
 required_modules="pf"
 
+pf_fallback()
+{
+	warn "Unable to load $pf_rules."
+
+	if ! checkyesno pf_fallback_rules_enable; then
+		return
+	fi
+
+	if [ -f $pf_fallback_rules_file ]; then
+		warn "Loading fallback rules file: $pf_fallback_rules_file"
+		$pf_program -f "$pf_fallback_rules_file" $pf_flags
+	else
+		warn "Loading fallback rules: $pf_fallback_rules"
+		echo $pf_fallback_rules | $pf_program -f - $pf_flags
+	fi
+}
+
 pf_start()
 {
 	check_startmsgs && echo -n 'Enabling pf'
 	$pf_program -F all > /dev/null 2>&1
-	$pf_program -f "$pf_rules" $pf_flags
+	$pf_program -f "$pf_rules" $pf_flags || pf_fallback
 	if ! $pf_program -s info | grep -q "Enabled" ; then
 		$pf_program -eq
 	fi
diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5
index 883937a619ee..e3b05f75f641 100644
--- a/share/man/man5/rc.conf.5
+++ b/share/man/man5/rc.conf.5
@@ -1000,6 +1000,42 @@ is set to
 these flags are passed to the
 .Xr pfctl 8
 program when loading the ruleset.
+.It Va pf_fallback_rules_enable
+.Pq Vt bool
+Set to
+.Dq Li NO
+by default.
+Setting this to
+.Dq Li YES
+enables loading
+.Va pf_fallback_rules_file
+or
+.Va pf_fallback_rules
+in case of a problem when loading the ruleset in
+.Va pf_rules .
+.It Va pf_fallback_rules_file
+.Pq Vt str
+Path to a pf ruleset to load in case of failure when loading the
+ruleset in
+.Va pf_rules
+(default
+.Pa /etc/pf-fallback.conf ) .
+.It Va pf_fallback_rules
+.Pq Vt str
+A pf ruleset to load in case of failure when loading the ruleset in
+.Va pf_rules
+and
+.Va pf_fallback_rules_file
+is not found.
+Multiple rules can be set as follows:
+.Bd -literal
+pf_fallback_rules="\\
+	block drop log all\\
+	pass in quick on em0"
+.Pp
+.Ed
+The default fallback rule is
+.Dq block drop log all
 .It Va pflog_enable
 .Pq Vt bool
 Set to