[Bug 256410] pf: Add pf_fallback_rules option

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256410

--- Comment #37 from commit-hook@FreeBSD.org ---
A commit in branch stable/13 references this bug:

URL:
https://cgit.FreeBSD.org/src/commit/?id=fae2a8cad398518c473f67fc210206c6dac02610

commit fae2a8cad398518c473f67fc210206c6dac02610
Author:     Thomas Steen Rasmussen <thomas@gibfest.dk>
AuthorDate: 2021-06-16 18:29:06 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2022-01-24 20:11:02 +0000

    pf: fallback if $pf_rules fails to load

    Support loading a default pf ruleset in case of invalid pf.conf.

    If no pf rules are loaded pf will pass/allow all traffic, assuming the
    kernel is compiled without PF_DEFAULT_TO_DROP, as is the case in
    GENERIC.

    In other words: if there's a typo in the main pf_rules we would allow
    all traffic. The new default rules minimise the impact of this.

    If $pf_program (i.e. pfctl) fails to set $pf_fules and
    $pf_fallback_rules_enable is YES we will load $pf_fallback_rules_file if
    set, or $pf_fallback_rules.

    $pf_fallback_rules can include multiple rules, for example to permit
    traffic on a management interface.

    $pf_fallback_rules_enable defaults to "NO", preserving historic behaviour.

    man page changes by ceri@.

    PR:             256410
    Reviewed by:    donner, kp
    Sponsored by:   semaphor.dk
    Differential Revision:  https://reviews.freebsd.org/D30791

    (cherry picked from commit 28f47a199cfd8749ab30a0327b0a3f8977ec2b43)

 libexec/rc/rc.conf       |  5 +++++
 libexec/rc/rc.d/pf       | 19 ++++++++++++++++++-
 share/man/man5/rc.conf.5 | 36 ++++++++++++++++++++++++++++++++++++
 3 files changed, 59 insertions(+), 1 deletion(-)

-- 
You are receiving this mail because:
You are the assignee for the bug.