From owner-freebsd-bugs@FreeBSD.ORG Thu Sep 13 20:50:02 2012 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4D7771065679 for ; Thu, 13 Sep 2012 20:50:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 210738FC17 for ; Thu, 13 Sep 2012 20:50:02 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q8DKo1E5058568 for ; Thu, 13 Sep 2012 20:50:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q8DKo1q2058556; Thu, 13 Sep 2012 20:50:01 GMT (envelope-from gnats) Resent-Date: Thu, 13 Sep 2012 20:50:01 GMT Resent-Message-Id: <201209132050.q8DKo1q2058556@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Olivier Cochard-Labbé Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 148E3106566B for ; Thu, 13 Sep 2012 20:40:04 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id D618C8FC08 for ; Thu, 13 Sep 2012 20:40:03 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.5/8.14.5) with ESMTP id q8DKe3tP058300 for ; Thu, 13 Sep 2012 20:40:03 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.5/8.14.5/Submit) id q8DKe351058299; Thu, 13 Sep 2012 20:40:03 GMT (envelope-from nobody) Message-Id: <201209132040.q8DKe351058299@red.freebsd.org> Date: Thu, 13 Sep 2012 20:40:03 GMT From: Olivier Cochard-Labbé To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: kern/171622: Patch that add "options PF_DEFAULT_TO_DROP" to kernel configuration file X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Sep 2012 20:50:02 -0000 >Number: 171622 >Category: kern >Synopsis: Patch that add "options PF_DEFAULT_TO_DROP" to kernel configuration file >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Thu Sep 13 20:50:01 UTC 2012 >Closed-Date: >Last-Modified: >Originator: Olivier Cochard-Labbé >Release: 9.1-RC1 >Organization: BSD Router Project >Environment: FreeBSD R1 9.1-RC1 FreeBSD 9.1-RC1 #0 r240390M: Thu Sep 13 12:50:12 CEST 2012 root@orange.bsdrp.net:/usr/obj/BSDRP.amd64/usr/local/BSDRP/FreeBSD/src/sys/amd64 amd64 >Description: Here is a little patch (tested on FreeBSD 9.1-RC1) that add a new option to the kernel configuration file: options PF_DEFAULT_TO_DROP Without this option, with an empty pf.conf: All traffic are permit. With this option enabled, with an empty pf.conf: All traffic are dropped by default. >How-To-Repeat: >Fix: Patch attached with submission follows: --- sys/contrib/pf/net/pf_ioctl.c.orig 2012-09-06 15:47:47.000000000 +0200 +++ sys/contrib/pf/net/pf_ioctl.c 2012-09-06 15:56:16.000000000 +0200 @@ -386,7 +386,11 @@ /* default rule should never be garbage collected */ V_pf_default_rule.entries.tqe_prev = &V_pf_default_rule.entries.tqe_next; + #ifdef PF_DEFAULT_TO_DROP + V_pf_default_rule.action = PF_DROP; + #else V_pf_default_rule.action = PF_PASS; + #endif V_pf_default_rule.nr = -1; V_pf_default_rule.rtableid = -1; @@ -473,7 +477,11 @@ /* default rule should never be garbage collected */ pf_default_rule.entries.tqe_prev = &pf_default_rule.entries.tqe_next; + #ifdef PF_DEFAULT_TO_DROP + pf_default_rule.action = PF_DROP; + #else pf_default_rule.action = PF_PASS; + #endif pf_default_rule.nr = -1; pf_default_rule.rtableid = -1; --- sys/conf/options.orig 2012-09-06 15:59:40.000000000 +0200 +++ sys/conf/options 2012-09-06 16:00:59.000000000 +0200 @@ -426,6 +426,7 @@ NETATALK opt_atalk.h NFSLOCKD PCBGROUP opt_pcbgroup.h +PF_DEFAULT_TO_DROP opt_pf.h RADIX_MPATH opt_mpath.h ROUTETABLES opt_route.h SLIP_IFF_OPTS opt_slip.h --- sys/conf/NOTES.orig 2012-09-06 16:58:11.000000000 +0200 +++ sys/conf/NOTES 2012-09-06 16:14:47.000000000 +0200 @@ -916,6 +916,8 @@ # packets without touching the TTL). This can be useful to hide firewalls # from traceroute and similar tools. # +# PF_DEFAULT_TO_DROP causes the default rule (at boot) to deny everything. +# # TCPDEBUG enables code which keeps traces of the TCP state machine # for sockets with the SO_DEBUG option set, which can then be examined # using the trpt(8) utility. @@ -933,6 +935,7 @@ options IPFILTER_LOOKUP #ipfilter pools options IPFILTER_DEFAULT_BLOCK #block all packets by default options IPSTEALTH #support for stealth forwarding +options PF_DEFAULT_TO_DROP #drop everything by default options TCPDEBUG # The MBUF_STRESS_TEST option enables options which create >Release-Note: >Audit-Trail: >Unformatted: