git: a85c3ef7d801 - stable/14 - ipfilter: Disable ipfs(8) by default
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 05 Jan 2026 20:01:28 UTC
The branch stable/14 has been updated by cy:
URL: https://cgit.FreeBSD.org/src/commit/?id=a85c3ef7d80161da04241d275da804644cdc5347
commit a85c3ef7d80161da04241d275da804644cdc5347
Author: Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2025-11-16 07:39:19 +0000
Commit: Cy Schubert <cy@FreeBSD.org>
CommitDate: 2026-01-05 20:01:01 +0000
ipfilter: Disable ipfs(8) by default
At the moment ipfs(8) is a tool that can be easily abused. Though the
concept is sound the implementation needs some work.
ipfs(8) should be considered experimental at the moment.
This commit also makes ipfs support in the kernel optional.
Reviewed by: emaste, glebius
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D53787
(cherry picked from commit 0ff0c19e7f70bc4d3f98196a8ad43de635cf13e5)
---
sbin/ipf/Makefile | 6 +++++-
share/mk/src.opts.mk | 1 +
sys/conf/NOTES | 1 +
sys/conf/options | 1 +
sys/modules/ipfilter/Makefile | 6 ++++++
sys/netpfil/ipfilter/netinet/ip_nat.c | 5 ++++-
sys/netpfil/ipfilter/netinet/ip_state.c | 4 ++++
tools/build/mk/OptionalObsoleteFiles.inc | 4 ++++
8 files changed, 26 insertions(+), 2 deletions(-)
diff --git a/sbin/ipf/Makefile b/sbin/ipf/Makefile
index 32cead444f77..b64b09584b48 100644
--- a/sbin/ipf/Makefile
+++ b/sbin/ipf/Makefile
@@ -1,6 +1,10 @@
+.include <src.opts.mk>
SUBDIR= libipf .WAIT
-SUBDIR+= ipf ipfs ipfstat ipmon ipnat ippool
+SUBDIR+= ipf ipfstat ipmon ipnat ippool
+.if ${MK_IPFILTER_IPFS} != "no"
+SUBDIR+= ipfs
+.endif
# XXX Temporarily disconnected.
# SUBDIR+= ipftest ipresend ipsend
SUBDIR_PARALLEL=
diff --git a/share/mk/src.opts.mk b/share/mk/src.opts.mk
index 6395efc7469f..ee3784cecb4b 100644
--- a/share/mk/src.opts.mk
+++ b/share/mk/src.opts.mk
@@ -208,6 +208,7 @@ __DEFAULT_NO_OPTIONS = \
DTRACE_TESTS \
EXPERIMENTAL \
HESIOD \
+ IPFILTER_IPFS \
LOADER_VERBOSE \
LOADER_VERIEXEC_PASS_MANIFEST \
LLVM_ASSERTIONS \
diff --git a/sys/conf/NOTES b/sys/conf/NOTES
index 7ce26cb76820..410b5e79fee1 100644
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@@ -1042,6 +1042,7 @@ options IPFILTER #ipfilter support
options IPFILTER_LOG #ipfilter logging
options IPFILTER_LOOKUP #ipfilter pools
options IPFILTER_DEFAULT_BLOCK #block all packets by default
+options IPFILTER_IPFS #enable experimental ipfs(8) support
options IPSTEALTH #support for stealth forwarding
options PF_DEFAULT_TO_DROP #drop everything by default
options TCPPCAP
diff --git a/sys/conf/options b/sys/conf/options
index 2becb1aaa7a3..6337eb14f6a4 100644
--- a/sys/conf/options
+++ b/sys/conf/options
@@ -450,6 +450,7 @@ IPFILTER opt_ipfilter.h
IPFILTER_DEFAULT_BLOCK opt_ipfilter.h
IPFILTER_LOG opt_ipfilter.h
IPFILTER_LOOKUP opt_ipfilter.h
+IPFILTER_IPFS opt_ipfilter.h
IPFIREWALL opt_ipfw.h
IPFIREWALL_DEFAULT_TO_ACCEPT opt_ipfw.h
IPFIREWALL_NAT opt_ipfw.h
diff --git a/sys/modules/ipfilter/Makefile b/sys/modules/ipfilter/Makefile
index d2f32538b68b..969df7dfad84 100644
--- a/sys/modules/ipfilter/Makefile
+++ b/sys/modules/ipfilter/Makefile
@@ -1,3 +1,4 @@
+.include <src.opts.mk>
.PATH: ${SRCTOP}/sys/netpfil/ipfilter/netinet
@@ -10,6 +11,11 @@ SRCS+= opt_bpf.h opt_inet6.h opt_kern_tls.h
CFLAGS+= -I${SRCTOP}/sys/netpfil/ipfilter
CFLAGS+= -DIPFILTER=1 -DIPFILTER_LKM -DIPFILTER_LOG -DIPFILTER_LOOKUP
+
+.if ${MK_IPFILTER_IPFS} != "no"
+CFLAGS+= -DIPFILTER_IPFS
+.endif
+
#
# If you don't want log functionality remove -DIPFILTER_LOG
#
diff --git a/sys/netpfil/ipfilter/netinet/ip_nat.c b/sys/netpfil/ipfilter/netinet/ip_nat.c
index a11eda2a6b85..4c7ede89d30e 100644
--- a/sys/netpfil/ipfilter/netinet/ip_nat.c
+++ b/sys/netpfil/ipfilter/netinet/ip_nat.c
@@ -1344,6 +1344,7 @@ ipf_nat_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd,
error = ipf_proxy_ioctl(softc, data, cmd, mode, ctx);
break;
+#ifdef IPFILTER_IPFS
case SIOCSTLCK :
if (!(mode & FWRITE)) {
IPFERROR(60015);
@@ -1379,6 +1380,7 @@ ipf_nat_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd,
error = EACCES;
}
break;
+#endif /* IPFILTER_IPFS */
case SIOCGENITER :
{
@@ -1686,7 +1688,7 @@ ipf_nat_siocdelnat(ipf_main_softc_t *softc, ipf_nat_softc_t *softn, ipnat_t *n,
}
}
-
+#ifdef IPFILTER_IPFS
/* ------------------------------------------------------------------------ */
/* Function: ipf_nat_getsz */
/* Returns: int - 0 == success, != 0 is the error value. */
@@ -2254,6 +2256,7 @@ junkput:
}
return (error);
}
+#endif /* IPFILTER_IPFS */
/* ------------------------------------------------------------------------ */
diff --git a/sys/netpfil/ipfilter/netinet/ip_state.c b/sys/netpfil/ipfilter/netinet/ip_state.c
index 88570273c588..bfb9b9eb19f3 100644
--- a/sys/netpfil/ipfilter/netinet/ip_state.c
+++ b/sys/netpfil/ipfilter/netinet/ip_state.c
@@ -713,6 +713,7 @@ ipf_state_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd,
IPFOBJ_STATESTAT);
break;
+#ifdef IPFILTER_IPFS
/*
* Lock/Unlock the state table. (Locking prevents any changes, which
* means no packets match).
@@ -749,6 +750,7 @@ ipf_state_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd,
}
error = ipf_state_getent(softc, softs, data);
break;
+#endif /* IPFILTER_IPFS */
case SIOCGENITER :
{
@@ -805,6 +807,7 @@ ipf_state_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd,
}
+#ifdef IPFILTER_IPFS
/* ------------------------------------------------------------------------ */
/* Function: ipf_state_getent */
/* Returns: int - 0 == success, != 0 == failure */
@@ -1009,6 +1012,7 @@ ipf_state_putent(ipf_main_softc_t *softc, ipf_state_softc_t *softs,
return (error);
}
+#endif /* IPFILTER_IPFS */
/* ------------------------------------------------------------------------ */
diff --git a/tools/build/mk/OptionalObsoleteFiles.inc b/tools/build/mk/OptionalObsoleteFiles.inc
index 8b2688f7e626..72e86b99799f 100644
--- a/tools/build/mk/OptionalObsoleteFiles.inc
+++ b/tools/build/mk/OptionalObsoleteFiles.inc
@@ -2684,6 +2684,10 @@ OLD_FILES+=usr/share/man/man8/ipnat.8.gz
OLD_FILES+=usr/share/man/man8/ippool.8.gz
.endif
+.if ${MK_IPFILTER_IPFS} == no
+OLD_FILES+=sbin/ipfs
+.endif
+
.if ${MK_IPFW} == no
OLD_FILES+=etc/rc.d/ipfw
OLD_FILES+=etc/periodic/security/500.ipfwdenied