git: a71abf38e2b4 - main - rc.firewall: Support on-disk lists

From: Dag-Erling Smørgrav <des_at_FreeBSD.org>
Date: Fri, 26 Jun 2026 14:40:15 UTC
The branch main has been updated by des:

URL: https://cgit.FreeBSD.org/src/commit/?id=a71abf38e2b46c02965f3224c62bb6ef1971996e

commit a71abf38e2b46c02965f3224c62bb6ef1971996e
Author:     Dag-Erling Smørgrav <des@FreeBSD.org>
AuthorDate: 2026-06-26 14:38:53 +0000
Commit:     Dag-Erling Smørgrav <des@FreeBSD.org>
CommitDate: 2026-06-26 14:38:53 +0000

    rc.firewall: Support on-disk lists
    
    For firewall_allowservices and firewall_trusted, if an element of the
    list looks like an absolute path, read the file, skipping comments and
    blank lines, and treat the first word on each line as an address or
    subnet to be added to the list.
    
    We should probably be using tables instead, but this is still an
    improvement over the status quo ante.
    
    MFC after:      1 week
    Relnotes:       yes
    Reviewed by:    allanjude
    Differential Revision:  https://reviews.freebsd.org/D57679
---
 libexec/rc/rc.conf     | 11 +++++++----
 libexec/rc/rc.firewall | 43 ++++++++++++++++++++++++++++++++-----------
 2 files changed, 39 insertions(+), 15 deletions(-)

diff --git a/libexec/rc/rc.conf b/libexec/rc/rc.conf
index 6e70baccac98..ab92a464b133 100644
--- a/libexec/rc/rc.conf
+++ b/libexec/rc/rc.conf
@@ -183,11 +183,14 @@ firewall_simple_onet="192.0.2.0/28" # Outside network address for "simple"
 				# for "simple" firewall.
 firewall_myservices=""		# List of ports/protocols on which this host
 				# offers services for "workstation" firewall.
-firewall_allowservices=""	# List of IPs which have access to
+firewall_allowservices=""	# List of IPs or subnets which have access to
 				# $firewall_myservices for "workstation"
-				# firewall.
-firewall_trusted=""		# List of IPs which have full access to this
-				# host for "workstation" firewall.
+				# firewall, or of files containing lists of
+				# IPs or subnets, one per line.
+firewall_trusted=""		# List of IPs or subnets which have full access
+				# to this host for "workstation" firewall, or
+				# of files containing lists of IPs or subnets,
+				# one per line.
 firewall_logdeny="NO"		# Set to YES to log default denied incoming
 				# packets for "workstation" firewall.
 firewall_nologports="135-139,445 1026,1027 1433,1434" # List of TCP/UDP ports
diff --git a/libexec/rc/rc.firewall b/libexec/rc/rc.firewall
index 65bf1cc54f85..f3e1ea116522 100644
--- a/libexec/rc/rc.firewall
+++ b/libexec/rc/rc.firewall
@@ -406,10 +406,14 @@ case ${firewall_type} in
 	#  firewall_myservices:		List of ports/protocols on which this
 	#				 host offers services.
 	#  firewall_allowservices:	List of IPv4 and/or IPv6 addresses
-	#				 that have access to
-	#				 $firewall_myservices.
+	#				 or subnets that have access to
+	#				 $firewall_myservices, or files
+	#				 containing such address or subnets,
+	#				 one per line.
 	#  firewall_trusted:		List of IPv4 and/or IPv6 addresses
-	#				 that have full access to this host.
+	#				 or subnets that have full access to
+	#				 this host, or files containing such
+	#				 addresses or subnets, one per line.
 	#				 Be very careful when setting this.
 	#				 This option can seriously degrade
 	#				 the level of protection provided by
@@ -467,25 +471,33 @@ case ${firewall_type} in
 	#       workstation won't be a problem.
 	#
 	for i in ${firewall_allowservices} ; do
+	  case $i in
+	  /*)
+	    grep '^[^#]' "$i"
+	    ;;
+	  *)
+	    echo "$i"
+	    ;;
+	  esac
+	done | while read i _; do
 	  for j in ${firewall_myservices} ; do
 	    case $j in
 	    [0-9A-Za-z]*/[Pp][Rr][Oo][Tt][Oo])
 	      ${fwcmd} add pass ${j%/[Pp][Rr][Oo][Tt][Oo]} from $i to me
-	    ;;
+	      ;;
 	    [0-9A-Za-z]*/[Tt][Cc][Pp])
 	      ${fwcmd} add pass tcp from $i to me ${j%/[Tt][Cc][Pp]}
-	    ;;
+	      ;;
 	    [0-9A-Za-z]*/[Uu][Dd][Pp])
 	      ${fwcmd} add pass udp from $i to me ${j%/[Uu][Dd][Pp]}
-	    ;;
+	      ;;
 	    *[0-9A-Za-z])
-	      echo "Consider using ${j}/tcp in firewall_myservices." \
-	        > /dev/stderr
+	      echo "Consider using ${j}/tcp in firewall_myservices." >&2
 	      ${fwcmd} add pass tcp from $i to me $j
-	    ;;
+	      ;;
 	    *)
-	      echo "Invalid port in firewall_myservices: $j" > /dev/stderr
-	    ;;
+	      echo "Invalid port in firewall_myservices: $j" >&2
+	      ;;
 	    esac
 	  done
 	done
@@ -494,6 +506,15 @@ case ${firewall_type} in
 	# Playing with the content of firewall_trusted could seriously
 	# degrade the level of protection provided by the firewall.
 	for i in ${firewall_trusted} ; do
+	  case $i in
+	  /*)
+	    grep '^[^#]' "$i"
+	    ;;
+	  *)
+	    echo "$i"
+	    ;;
+	  esac
+	done | while read i _ ; do
 	  ${fwcmd} add pass ip from $i to me
 	done