kern/171622: Patch that add "options PF_DEFAULT_TO_DROP" to kernel
configuration file
Olivier Cochard-Labbé
olivier at cochard.me
Thu Sep 13 20:50:02 UTC 2012
>Number: 171622
>Category: kern
>Synopsis: Patch that add "options PF_DEFAULT_TO_DROP" to kernel configuration file
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Thu Sep 13 20:50:01 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Olivier Cochard-Labbé
>Release: 9.1-RC1
>Organization:
BSD Router Project
>Environment:
FreeBSD R1 9.1-RC1 FreeBSD 9.1-RC1 #0 r240390M: Thu Sep 13 12:50:12 CEST 2012 root at orange.bsdrp.net:/usr/obj/BSDRP.amd64/usr/local/BSDRP/FreeBSD/src/sys/amd64 amd64
>Description:
Here is a little patch (tested on FreeBSD 9.1-RC1) that add a new option to the kernel configuration file:
options PF_DEFAULT_TO_DROP
Without this option, with an empty pf.conf: All traffic are permit.
With this option enabled, with an empty pf.conf: All traffic are dropped by default.
>How-To-Repeat:
>Fix:
Patch attached with submission follows:
--- sys/contrib/pf/net/pf_ioctl.c.orig 2012-09-06 15:47:47.000000000 +0200
+++ sys/contrib/pf/net/pf_ioctl.c 2012-09-06 15:56:16.000000000 +0200
@@ -386,7 +386,11 @@
/* default rule should never be garbage collected */
V_pf_default_rule.entries.tqe_prev = &V_pf_default_rule.entries.tqe_next;
+ #ifdef PF_DEFAULT_TO_DROP
+ V_pf_default_rule.action = PF_DROP;
+ #else
V_pf_default_rule.action = PF_PASS;
+ #endif
V_pf_default_rule.nr = -1;
V_pf_default_rule.rtableid = -1;
@@ -473,7 +477,11 @@
/* default rule should never be garbage collected */
pf_default_rule.entries.tqe_prev = &pf_default_rule.entries.tqe_next;
+ #ifdef PF_DEFAULT_TO_DROP
+ pf_default_rule.action = PF_DROP;
+ #else
pf_default_rule.action = PF_PASS;
+ #endif
pf_default_rule.nr = -1;
pf_default_rule.rtableid = -1;
--- sys/conf/options.orig 2012-09-06 15:59:40.000000000 +0200
+++ sys/conf/options 2012-09-06 16:00:59.000000000 +0200
@@ -426,6 +426,7 @@
NETATALK opt_atalk.h
NFSLOCKD
PCBGROUP opt_pcbgroup.h
+PF_DEFAULT_TO_DROP opt_pf.h
RADIX_MPATH opt_mpath.h
ROUTETABLES opt_route.h
SLIP_IFF_OPTS opt_slip.h
--- sys/conf/NOTES.orig 2012-09-06 16:58:11.000000000 +0200
+++ sys/conf/NOTES 2012-09-06 16:14:47.000000000 +0200
@@ -916,6 +916,8 @@
# packets without touching the TTL). This can be useful to hide firewalls
# from traceroute and similar tools.
#
+# PF_DEFAULT_TO_DROP causes the default rule (at boot) to deny everything.
+#
# TCPDEBUG enables code which keeps traces of the TCP state machine
# for sockets with the SO_DEBUG option set, which can then be examined
# using the trpt(8) utility.
@@ -933,6 +935,7 @@
options IPFILTER_LOOKUP #ipfilter pools
options IPFILTER_DEFAULT_BLOCK #block all packets by default
options IPSTEALTH #support for stealth forwarding
+options PF_DEFAULT_TO_DROP #drop everything by default
options TCPDEBUG
# The MBUF_STRESS_TEST option enables options which create
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list