svn commit: r240642 - in head: share/man/man4 sys/conf
sys/netpfil/pf
Gleb Smirnoff
glebius at FreeBSD.org
Tue Sep 18 11:07:20 UTC 2012
Author: glebius
Date: Tue Sep 18 11:07:19 2012
New Revision: 240642
URL: http://svn.freebsd.org/changeset/base/240642
Log:
Provide kernel compile time option to make pf(4) default rule to drop.
This is important to secure a small timeframe at boot time, when
network is already configured, but pf(4) is not yet.
PR: kern/171622
Submitted by: Olivier Cochard-LabbИ <olivier cochard.me>
Modified:
head/share/man/man4/pf.4
head/sys/conf/NOTES
head/sys/conf/options
head/sys/netpfil/pf/pf_ioctl.c
Modified: head/share/man/man4/pf.4
==============================================================================
--- head/share/man/man4/pf.4 Tue Sep 18 10:54:56 2012 (r240641)
+++ head/share/man/man4/pf.4 Tue Sep 18 11:07:19 2012 (r240642)
@@ -28,7 +28,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd June 29 2012
+.Dd September 18 2012
.Dt PF 4
.Os
.Sh NAME
@@ -36,6 +36,7 @@
.Nd packet filter
.Sh SYNOPSIS
.Cd "device pf"
+.Cd "options PF_DEFAULT_TO_DROP"
.Sh DESCRIPTION
Packet filtering takes place in the kernel.
A pseudo-device,
@@ -94,6 +95,15 @@ Read only
.Xr sysctl 8
variables with matching names are provided to obtain current values
at runtime.
+.Sh KERNEL OPTIONS
+The following options in the kernel configuration file are related to
+.Nm
+operation:
+.Pp
+.Bl -tag -width ".Dv PF_DEFAULT_TO_DROP" -compact
+.It Dv PF_DEFAULT_TO_DROP
+Change default policy to drop by default
+.El
.Sh IOCTL INTERFACE
.Nm
supports the following
Modified: head/sys/conf/NOTES
==============================================================================
--- head/sys/conf/NOTES Tue Sep 18 10:54:56 2012 (r240641)
+++ head/sys/conf/NOTES Tue Sep 18 11:07:19 2012 (r240642)
@@ -918,6 +918,8 @@ device lagg
# packets without touching the TTL). This can be useful to hide firewalls
# from traceroute and similar tools.
#
+# PF_DEFAULT_TO_DROP causes the default pf(4) rule to deny everything.
+#
# TCPDEBUG enables code which keeps traces of the TCP state machine
# for sockets with the SO_DEBUG option set, which can then be examined
# using the trpt(8) utility.
@@ -937,6 +939,7 @@ options IPFILTER_LOG #ipfilter logging
options IPFILTER_LOOKUP #ipfilter pools
options IPFILTER_DEFAULT_BLOCK #block all packets by default
options IPSTEALTH #support for stealth forwarding
+options PF_DEFAULT_TO_DROP #drop everything by default
options TCPDEBUG
options RADIX_MPATH
Modified: head/sys/conf/options
==============================================================================
--- head/sys/conf/options Tue Sep 18 10:54:56 2012 (r240641)
+++ head/sys/conf/options Tue Sep 18 11:07:19 2012 (r240642)
@@ -430,6 +430,7 @@ NCP
NETATALK opt_atalk.h
NFSLOCKD
PCBGROUP opt_pcbgroup.h
+PF_DEFAULT_TO_DROP opt_pf.h
RADIX_MPATH opt_mpath.h
ROUTETABLES opt_route.h
SLIP_IFF_OPTS opt_slip.h
Modified: head/sys/netpfil/pf/pf_ioctl.c
==============================================================================
--- head/sys/netpfil/pf/pf_ioctl.c Tue Sep 18 10:54:56 2012 (r240641)
+++ head/sys/netpfil/pf/pf_ioctl.c Tue Sep 18 11:07:19 2012 (r240642)
@@ -216,7 +216,11 @@ pfattach(void)
/* default rule should never be garbage collected */
V_pf_default_rule.entries.tqe_prev = &V_pf_default_rule.entries.tqe_next;
+#ifdef PF_DEFAULT_TO_DROP
+ V_pf_default_rule.action = PF_DROP;
+#else
V_pf_default_rule.action = PF_PASS;
+#endif
V_pf_default_rule.nr = -1;
V_pf_default_rule.rtableid = -1;
More information about the svn-src-head
mailing list