[Bug 256410] pf: Add pf_fallback_rules option
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 08 Jul 2021 14:23:25 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256410 --- Comment #36 from commit-hook@FreeBSD.org --- A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=28f47a199cfd8749ab30a0327b0a3f8977ec2b43 commit 28f47a199cfd8749ab30a0327b0a3f8977ec2b43 Author: Thomas Steen Rasmussen <thomas@gibfest.dk> AuthorDate: 2021-06-16 18:29:06 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2021-07-08 12:22:04 +0000 pf: fallback if $pf_rules fails to load Support loading a default pf ruleset in case of invalid pf.conf. If no pf rules are loaded pf will pass/allow all traffic, assuming the kernel is compiled without PF_DEFAULT_TO_DROP, as is the case in GENERIC. In other words: if there's a typo in the main pf_rules we would allow all traffic. The new default rules minimise the impact of this. If $pf_program (i.e. pfctl) fails to set $pf_fules and $pf_fallback_rules_enable is YES we will load $pf_fallback_rules_file if set, or $pf_fallback_rules. $pf_fallback_rules can include multiple rules, for example to permit traffic on a management interface. $pf_fallback_rules_enable defaults to "NO", preserving historic behaviour. man page changes by ceri@. PR: 256410 Reviewed by: donner, kp Sponsored by: semaphor.dk Differential Revision: https://reviews.freebsd.org/D30791 libexec/rc/rc.conf | 5 +++++ libexec/rc/rc.d/pf | 19 ++++++++++++++++++- share/man/man5/rc.conf.5 | 38 +++++++++++++++++++++++++++++++++++++- 3 files changed, 60 insertions(+), 2 deletions(-) -- You are receiving this mail because: You are the assignee for the bug.