git: fae2a8cad398 - stable/13 - pf: fallback if $pf_rules fails to load
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 24 Jan 2022 22:55:02 UTC
The branch stable/13 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=fae2a8cad398518c473f67fc210206c6dac02610 commit fae2a8cad398518c473f67fc210206c6dac02610 Author: Thomas Steen Rasmussen <thomas@gibfest.dk> AuthorDate: 2021-06-16 18:29:06 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2022-01-24 20:11:02 +0000 pf: fallback if $pf_rules fails to load Support loading a default pf ruleset in case of invalid pf.conf. If no pf rules are loaded pf will pass/allow all traffic, assuming the kernel is compiled without PF_DEFAULT_TO_DROP, as is the case in GENERIC. In other words: if there's a typo in the main pf_rules we would allow all traffic. The new default rules minimise the impact of this. If $pf_program (i.e. pfctl) fails to set $pf_fules and $pf_fallback_rules_enable is YES we will load $pf_fallback_rules_file if set, or $pf_fallback_rules. $pf_fallback_rules can include multiple rules, for example to permit traffic on a management interface. $pf_fallback_rules_enable defaults to "NO", preserving historic behaviour. man page changes by ceri@. PR: 256410 Reviewed by: donner, kp Sponsored by: semaphor.dk Differential Revision: https://reviews.freebsd.org/D30791 (cherry picked from commit 28f47a199cfd8749ab30a0327b0a3f8977ec2b43) --- libexec/rc/rc.conf | 5 +++++ libexec/rc/rc.d/pf | 19 ++++++++++++++++++- share/man/man5/rc.conf.5 | 36 ++++++++++++++++++++++++++++++++++++ 3 files changed, 59 insertions(+), 1 deletion(-) diff --git a/libexec/rc/rc.conf b/libexec/rc/rc.conf index 58865aae7753..c6f1a4d2b9c4 100644 --- a/libexec/rc/rc.conf +++ b/libexec/rc/rc.conf @@ -224,6 +224,11 @@ pf_rules="/etc/pf.conf" # rules definition file for pf (nonexistent # by default) pf_program="/sbin/pfctl" # where the pfctl program lives pf_flags="" # additional flags for pfctl +pf_fallback_rules_enable="NO" # fallback if loading ruleset fails +pf_fallback_rules="block drop log all" # rules to load on pf ruleset failure +#pf_fallback_rules="block drop log all +#pass quick on em4" # multi-rule +pf_fallback_rules_file="/etc/pf-fallback.conf" # rules file on ruleset failure pflog_enable="NO" # Set to YES to enable packet filter logging pflog_logfile="/var/log/pflog" # where pflogd should store the logfile pflog_program="/sbin/pflogd" # where the pflogd program lives diff --git a/libexec/rc/rc.d/pf b/libexec/rc/rc.d/pf index 1f7394007667..fa1b49643cc5 100755 --- a/libexec/rc/rc.d/pf +++ b/libexec/rc/rc.d/pf @@ -23,11 +23,28 @@ extra_commands="check reload resync" required_files="$pf_rules" required_modules="pf" +pf_fallback() +{ + warn "Unable to load $pf_rules." + + if ! checkyesno pf_fallback_rules_enable; then + return + fi + + if [ -f $pf_fallback_rules_file ]; then + warn "Loading fallback rules file: $pf_fallback_rules_file" + $pf_program -f "$pf_fallback_rules_file" $pf_flags + else + warn "Loading fallback rules: $pf_fallback_rules" + echo $pf_fallback_rules | $pf_program -f - $pf_flags + fi +} + pf_start() { check_startmsgs && echo -n 'Enabling pf' $pf_program -F all > /dev/null 2>&1 - $pf_program -f "$pf_rules" $pf_flags + $pf_program -f "$pf_rules" $pf_flags || pf_fallback if ! $pf_program -s info | grep -q "Enabled" ; then $pf_program -eq fi diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5 index 883937a619ee..e3b05f75f641 100644 --- a/share/man/man5/rc.conf.5 +++ b/share/man/man5/rc.conf.5 @@ -1000,6 +1000,42 @@ is set to these flags are passed to the .Xr pfctl 8 program when loading the ruleset. +.It Va pf_fallback_rules_enable +.Pq Vt bool +Set to +.Dq Li NO +by default. +Setting this to +.Dq Li YES +enables loading +.Va pf_fallback_rules_file +or +.Va pf_fallback_rules +in case of a problem when loading the ruleset in +.Va pf_rules . +.It Va pf_fallback_rules_file +.Pq Vt str +Path to a pf ruleset to load in case of failure when loading the +ruleset in +.Va pf_rules +(default +.Pa /etc/pf-fallback.conf ) . +.It Va pf_fallback_rules +.Pq Vt str +A pf ruleset to load in case of failure when loading the ruleset in +.Va pf_rules +and +.Va pf_fallback_rules_file +is not found. +Multiple rules can be set as follows: +.Bd -literal +pf_fallback_rules="\\ + block drop log all\\ + pass in quick on em0" +.Pp +.Ed +The default fallback rule is +.Dq block drop log all .It Va pflog_enable .Pq Vt bool Set to