[Bug 256410] pf: Add pf_fallback_rules option

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 08 Jul 2021 14:23:25 +0000
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256410

--- Comment #36 from commit-hook_at_FreeBSD.org ---
A commit in branch main references this bug:

URL:
https://cgit.FreeBSD.org/src/commit/?id=28f47a199cfd8749ab30a0327b0a3f8977ec2b43

commit 28f47a199cfd8749ab30a0327b0a3f8977ec2b43
Author:     Thomas Steen Rasmussen <thomas_at_gibfest.dk>
AuthorDate: 2021-06-16 18:29:06 +0000
Commit:     Kristof Provost <kp_at_FreeBSD.org>
CommitDate: 2021-07-08 12:22:04 +0000

    pf: fallback if $pf_rules fails to load

    Support loading a default pf ruleset in case of invalid pf.conf.

    If no pf rules are loaded pf will pass/allow all traffic, assuming the
    kernel is compiled without PF_DEFAULT_TO_DROP, as is the case in
    GENERIC.

    In other words: if there's a typo in the main pf_rules we would allow
    all traffic. The new default rules minimise the impact of this.

    If $pf_program (i.e. pfctl) fails to set $pf_fules and
    $pf_fallback_rules_enable is YES we will load $pf_fallback_rules_file if
    set, or $pf_fallback_rules.

    $pf_fallback_rules can include multiple rules, for example to permit
    traffic on a management interface.

    $pf_fallback_rules_enable defaults to "NO", preserving historic behaviour.

    man page changes by ceri_at_.

    PR:             256410
    Reviewed by:    donner, kp
    Sponsored by:   semaphor.dk
    Differential Revision:  https://reviews.freebsd.org/D30791

 libexec/rc/rc.conf       |  5 +++++
 libexec/rc/rc.d/pf       | 19 ++++++++++++++++++-
 share/man/man5/rc.conf.5 | 38 +++++++++++++++++++++++++++++++++++++-
 3 files changed, 60 insertions(+), 2 deletions(-)

-- 
You are receiving this mail because:
You are the assignee for the bug.
Received on Thu Jul 08 2021 - 14:23:25 UTC

Original text of this message