Date: Thu, 13 Sep 2012 20:40:03 GMT From: Olivier Cochard-Labbé <olivier@cochard.me> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/171622: Patch that add "options PF_DEFAULT_TO_DROP" to kernel configuration file Message-ID: <201209132040.q8DKe351058299@red.freebsd.org> Resent-Message-ID: <201209132050.q8DKo1q2058556@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 171622 >Category: kern >Synopsis: Patch that add "options PF_DEFAULT_TO_DROP" to kernel configuration file >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Thu Sep 13 20:50:01 UTC 2012 >Closed-Date: >Last-Modified: >Originator: Olivier Cochard-Labbé >Release: 9.1-RC1 >Organization: BSD Router Project >Environment: FreeBSD R1 9.1-RC1 FreeBSD 9.1-RC1 #0 r240390M: Thu Sep 13 12:50:12 CEST 2012 root@orange.bsdrp.net:/usr/obj/BSDRP.amd64/usr/local/BSDRP/FreeBSD/src/sys/amd64 amd64 >Description: Here is a little patch (tested on FreeBSD 9.1-RC1) that add a new option to the kernel configuration file: options PF_DEFAULT_TO_DROP Without this option, with an empty pf.conf: All traffic are permit. With this option enabled, with an empty pf.conf: All traffic are dropped by default. >How-To-Repeat: >Fix: Patch attached with submission follows: --- sys/contrib/pf/net/pf_ioctl.c.orig 2012-09-06 15:47:47.000000000 +0200 +++ sys/contrib/pf/net/pf_ioctl.c 2012-09-06 15:56:16.000000000 +0200 @@ -386,7 +386,11 @@ /* default rule should never be garbage collected */ V_pf_default_rule.entries.tqe_prev = &V_pf_default_rule.entries.tqe_next; + #ifdef PF_DEFAULT_TO_DROP + V_pf_default_rule.action = PF_DROP; + #else V_pf_default_rule.action = PF_PASS; + #endif V_pf_default_rule.nr = -1; V_pf_default_rule.rtableid = -1; @@ -473,7 +477,11 @@ /* default rule should never be garbage collected */ pf_default_rule.entries.tqe_prev = &pf_default_rule.entries.tqe_next; + #ifdef PF_DEFAULT_TO_DROP + pf_default_rule.action = PF_DROP; + #else pf_default_rule.action = PF_PASS; + #endif pf_default_rule.nr = -1; pf_default_rule.rtableid = -1; --- sys/conf/options.orig 2012-09-06 15:59:40.000000000 +0200 +++ sys/conf/options 2012-09-06 16:00:59.000000000 +0200 @@ -426,6 +426,7 @@ NETATALK opt_atalk.h NFSLOCKD PCBGROUP opt_pcbgroup.h +PF_DEFAULT_TO_DROP opt_pf.h RADIX_MPATH opt_mpath.h ROUTETABLES opt_route.h SLIP_IFF_OPTS opt_slip.h --- sys/conf/NOTES.orig 2012-09-06 16:58:11.000000000 +0200 +++ sys/conf/NOTES 2012-09-06 16:14:47.000000000 +0200 @@ -916,6 +916,8 @@ # packets without touching the TTL). This can be useful to hide firewalls # from traceroute and similar tools. # +# PF_DEFAULT_TO_DROP causes the default rule (at boot) to deny everything. +# # TCPDEBUG enables code which keeps traces of the TCP state machine # for sockets with the SO_DEBUG option set, which can then be examined # using the trpt(8) utility. @@ -933,6 +935,7 @@ options IPFILTER_LOOKUP #ipfilter pools options IPFILTER_DEFAULT_BLOCK #block all packets by default options IPSTEALTH #support for stealth forwarding +options PF_DEFAULT_TO_DROP #drop everything by default options TCPDEBUG # The MBUF_STRESS_TEST option enables options which create >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201209132040.q8DKe351058299>