git: cb162f659578 - stable/13 - pf: Convert PF_DEFAULT_TO_DROP into a vnet loader tunable 'net.pf.default_to_drop'
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 27 Jan 2025 18:36:08 UTC
The branch stable/13 has been updated by zlei:
URL: https://cgit.FreeBSD.org/src/commit/?id=cb162f6595789590c79a1a5da144cb6595e71b3d
commit cb162f6595789590c79a1a5da144cb6595e71b3d
Author:     Zhenlei Huang <zlei@FreeBSD.org>
AuthorDate: 2023-09-22 10:05:02 +0000
Commit:     Zhenlei Huang <zlei@FreeBSD.org>
CommitDate: 2025-01-27 18:32:59 +0000
    pf: Convert PF_DEFAULT_TO_DROP into a vnet loader tunable 'net.pf.default_to_drop'
    
    7f7ef494f11d introduced a compile time option PF_DEFAULT_TO_DROP to make
    the pf(4) default rule to drop. While this change exposes a vnet loader
    tunable 'net.pf.default_to_drop' so that users can change the default
    rule without re-compiling the pf(4) module.
    
    This change is similiar to that for IPFW [1].
    
    1. 5f17ebf94db5 Convert IPFW_DEFAULT_TO_ACCEPT into a loader tunable 'net.inet.ip.fw.default_to_accept'
    
    Reviewed by:    #network, kp
    MFC after:      2 weeks
    Relnotes:       yes
    Differential Revision:  https://reviews.freebsd.org/D39866
    
    (cherry picked from commit c531c1d1462c45f7ce5de4f9913226801f3073bd)
    (cherry picked from commit 3965be101c434437ce8819250e9e6b3e5c3d702e)
---
 share/man/man4/pf.4       |  4 ++++
 sys/netpfil/pf/pf_ioctl.c | 16 +++++++++++-----
 2 files changed, 15 insertions(+), 5 deletions(-)
diff --git a/share/man/man4/pf.4 b/share/man/man4/pf.4
index b757376e0183..ccd9e2db0baf 100644
--- a/share/man/man4/pf.4
+++ b/share/man/man4/pf.4
@@ -87,6 +87,10 @@ Default value is 131072.
 Size of hash table that store source nodes.
 Should be power of 2.
 Default value is 32768.
+.It Va net.pf.default_to_drop
+This value overrides
+.Cd "options PF_DEFAULT_TO_DROP"
+from kernel configuration file.
 .El
 .Pp
 Read only
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index 2ddb84642b7d..6fe84b1be489 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -188,6 +188,16 @@ SYSCTL_BOOL(_net_pf, OID_AUTO, filter_local, CTLFLAG_VNET | CTLFLAG_RW,
     &VNET_NAME(pf_filter_local), false,
     "Enable filtering for packets delivered to local network stack");
 
+#ifdef PF_DEFAULT_TO_DROP
+VNET_DEFINE_STATIC(bool, default_to_drop) = true;
+#else
+VNET_DEFINE_STATIC(bool, default_to_drop);
+#endif
+#define	V_default_to_drop VNET(default_to_drop)
+SYSCTL_BOOL(_net_pf, OID_AUTO, default_to_drop, CTLFLAG_RDTUN | CTLFLAG_VNET,
+    &VNET_NAME(default_to_drop), false,
+    "Make the default rule drop all packets.");
+
 static void		 pf_init_tagset(struct pf_tagset *, unsigned int *,
 			    unsigned int);
 static void		 pf_cleanup_tagset(struct pf_tagset *);
@@ -319,11 +329,7 @@ pfattach_vnet(void)
 
 	/* default rule should never be garbage collected */
 	V_pf_default_rule.entries.tqe_prev = &V_pf_default_rule.entries.tqe_next;
-#ifdef PF_DEFAULT_TO_DROP
-	V_pf_default_rule.action = PF_DROP;
-#else
-	V_pf_default_rule.action = PF_PASS;
-#endif
+	V_pf_default_rule.action = V_default_to_drop ? PF_DROP : PF_PASS;
 	V_pf_default_rule.nr = -1;
 	V_pf_default_rule.rtableid = -1;