From nobody Wed Apr 9 16:51:18 2025 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZXpqs67Ylz5s3SP; Wed, 09 Apr 2025 16:51:21 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from omta004.cacentral1.a.cloudfilter.net (omta002.cacentral1.a.cloudfilter.net [3.97.99.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZXpqr4d6Jz40fd; Wed, 09 Apr 2025 16:51:20 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Authentication-Results: mx1.freebsd.org; none Received: from shw-obgw-4003a.ext.cloudfilter.net ([10.228.9.183]) by cmsmtp with ESMTPS id 2G6dukAjb5Mqy2Ye0ux36k; Wed, 09 Apr 2025 16:51:20 +0000 Received: from spqr.komquats.com ([70.66.136.217]) by cmsmtp with ESMTPSA id 2YdyuvZs5WbOa2YdzuYATt; Wed, 09 Apr 2025 16:51:20 +0000 X-Auth-User: cschuber X-Authority-Analysis: v=2.4 cv=Q5lx4J2a c=1 sm=1 tr=0 ts=67f6a588 a=h7br+8Ma+Xn9xscxy5znUg==:117 a=h7br+8Ma+Xn9xscxy5znUg==:17 a=kj9zAlcOel0A:10 a=XR8D0OoHHMoA:10 a=6I5d2MoRAAAA:8 a=EkcXrb_YAAAA:8 a=_EeEMxcBAAAA:8 a=UqCG9HQmAAAA:8 a=YxBL1-UpAAAA:8 a=HIpOd3htAAAA:8 a=NMM7OKYrAAAA:8 a=wwbO4EBcAAAA:8 a=kUCByv9wAAAA:8 a=vUPWEWiMAAAA:8 a=0VOg8hKvAAAA:8 a=sDLHkD9wShOpoRjQhgoA:9 a=XqS8QqoS1rPLgu61:21 a=CjuIK1q_8ugA:10 a=LK5xJRSDVpKd5WXXoEvA:22 a=Ia-lj3WSrqcvXOmTRaiG:22 a=kmlo3kNSEkcePd_NiW6t:22 a=isrg6BwTYk6I_F0B0DtW:22 a=jx9uv8QTLkEiLr58aJp2:22 a=bu_5hG6eGWxBxPYBRUjp:22 a=s3Yi14Of9AgBIP63TAoC:22 a=I-efbNKAaAt4Mg394dr-:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTP id 97DF713E; Wed, 09 Apr 2025 09:51:18 -0700 (PDT) Received: by slippy.cwsent.com (Postfix, from userid 1000) id 93B072B; Wed, 09 Apr 2025 09:51:18 -0700 (PDT) X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8+dev Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: Robert Austen cc: Zhenlei Huang , "freebsd-current@freebsd.org" , "freebsd-net@freebsd.org" , Kristof Provost , Cy Schubert Subject: Re: pfil_default_to_drop In-reply-to: References: <274BB159-3CB5-49E0-84E7-A3F4B81BFDC1@FreeBSD.org> Comments: In-reply-to Robert Austen message dated "Wed, 09 Apr 2025 16:44:17 -0000." List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 09 Apr 2025 09:51:18 -0700 Message-Id: <20250409165118.93B072B@slippy.cwsent.com> X-CMAE-Envelope: MS4xfNyUJHtugA92F84EfVxm351CwUvtssOlzzWlmUtW9HaVRe0UXN024joHO0RuY1U5Ih/kcbegeum1ZOptNYxQu7ugfYhmSVcBwslanfk0b581Jrippx1B +1D2YAPgwj7sm0eRsp3wmUxYqGOzDXKhLWYqWVUvcbT1MxFd9u5qDvzozvBh4VctplBi8OWHsm6w1++3GFv+M2kmZjo2SA7NzvXPr60c6VSNipvsiPpWyX1l 5SG2L0GtHUWiFfU7p3uGOrkRFU2QwJ/iFlqZwtpvpgSaXdj4r/qF17/7PQWb4kD4fFtnU0tjEHLjziEVpS1If8xcohxf8M7vEIaeJJRTlaAC8J0IO02fiWoE 5xNxsHMBEYpd1cF1huckuNCHB0kyyA== X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US] X-Rspamd-Queue-Id: 4ZXpqr4d6Jz40fd X-Spamd-Bar: ---- In message , Robert Austen writes: > --_000_QB1PPF4C719E46AFADEAB65EB14D2627AABEFB42QB1PPF4C719E46A_ > Content-Type: text/plain; charset="us-ascii" > Content-Transfer-Encoding: quoted-printable > > "Maybe we also want a loader tunable to enable pf(4) on load" > > Seems a complicated way to do a simple thing. imho. > > Did you happen to look at my tiny patch? > There are already a bunch of macros (PFIL_HOOKED_IN, PFIL_HOOKED_OUT) defi= > ned depending on the inclusion of INET v4 or 6. > I just cloned them as ... _UNHOOKED_ ..., and made them the NOT of the HOOK= > ED_ one, or FALSE when INET v4 or 6 is excluded > or if PFIL_DEFAULT_TO_DROP isn't defined. > > Then whereever the existing PFIL_HOOKED_IN/OUT_46 macros are used, prior to= > calling the filter hook, I just > inserted a PFIL_UNHOOKED_IN/OUT_46 check, and a 'goto drop' instead of the = > 'goto passin/out' for the 7 occurances > in if_gateway and the 3 in the NETINET code (ip_input, ip_output, ip_fastfw= > d) and the 4 in the NETINET6 code (same as netinet4 plus ip6_foward). > > easy peasy. Easy? Patches please. > I spend 10x more time messing with the kernel Makefile + CONF structure tha= > n with my changes lol. -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org e^(i*pi)+1=0 > > > ________________________________ > From: Zhenlei Huang > Sent: April 9, 2025 1:48 AM > To: Robert Austen > Cc: freebsd-current@freebsd.org ; freebsd-net@= > freebsd.org ; Kristof Provost ; Cy= > Schubert > Subject: Re: pfil_default_to_drop > > You don't often get email from zlei@freebsd.org. Learn why this is importan= > t > > > On Apr 9, 2025, at 1:01 AM, Robert Austen com> wrote: > > I respectfully disagree. > > PF_DEFAULT_TO_DROP has no effect if pfctl does not perform its ioctl call t= > o enable itself, ie. to apply any hooks. > if pfctl fails, then the hooks are left unhooked, and EVERYTHING defaults t= > o PASS, which is not what most people would intend using PF_DEFAULT_TO_DROP= > . > > Ahh, I see your problem. Yes, you're right. pf(4) requires ioctl ( DIOCSTAR= > T ) or netlink command to enable it. > > @Kristof Maybe we also want a loader tunable to enable pf(4) on load ? > > > consider this: until pf or ipf or ipfw makes an ioctl to hook themselves, t= > he pfil layer in the kernel has no idea what the filter will be, > assuming there even is one. thus PF_DEFAULT_TO_DROP has zero effect (and l= > ikewise the equivalents from the other filters). > > As for ipfw(4), by default it enables filtering on load, unless you disable= > it via loader tunable `net.inet.ip.fw.enable`, `net.inet6.ip6.fw.enable` a= > nd `net.link.ether.ipfw`. > > The compile option IPFIREWALL_DEFAULT_TO_ACCEPT or loader tunable `net.inet= > .ip.fw.default_to_accept` controls the default behavior to drop or accept. > See also https://cgit.freebsd.org/src/commit/?id=3D5f17ebf94db5ebbc7fdcff60= > e598498df6f9e2bd . > > > as I said, this is because there's no mechanism within PFIL to drop by defa= > ult, which is why I proposed (and am using on my system) the PFIL_DEFAULT_T= > O_DROP, > because it handles ALL of the 'no filter installed (yet)' cases. if PFIL_DE= > FAULT_TO_DROP isn't in the kernel config file, my patches have no effect at= > all, > so it's a simple mechanism for those that want more than PF_DEFAULT_TO_DROP= > can ever provide. > > It appears ipf(4) unconditionally enable filtering on load, and does not ha= > ve any tunables to control that. CC @Cy who is more familiar with ipf(4). > > > thanks! > ________________________________ > From: Zhenlei Huang > > Sent: April 7, 2025 7:55 PM > To: Robert Austen @willowglensystems.com>> > Cc: freebsd-current@freebsd.org d-current@freebsd.org>; freebsd-net@fre= > ebsd.org eebsd-net@freebsd.org>>; Kristof Provost org>> > Subject: Re: pfil_default_to_drop > > You don't often get email from zlei@freebsd.org. L= > earn why this is important > > > On Apr 8, 2025, at 6:36 AM, Robert Austen com> wrote: > > > > ________________________________ > From: Robert Austen en@willowglensystems.com>> > Sent: April 7, 2025 4:33 PM > To: freebsd-current@freebsd.org d-current@freebsd.org>; freebsd-net@fre= > ebsd.org eebsd-net@freebsd.org>> > Subject: Fw: pfil_default_to_drop > > > ________________________________ > From: Robert Austen > Sent: April 7, 2025 4:21 PM > To: freebsd-current@freebsd.org d-current@freebsd.org> > Subject: pfil_default_to_drop > > Hello, > I've been playing with FreeBSD and PF to build myself a new firewall, as Op= > en/FreeBSD + PF seems to be a common starting point. > > I've noticed a number of people asking questions about PF_DEFAULT_TO_DROP a= > nd the like, with the observations that it's hard > to ensure that packets all default to drop if the rule file(s) for whatever= > reason fail to load. > > Hi Robert, > > So why not defining the compile option PF_DEFAULT_TO_DROP, and preload pf.k= > o ( via the loader(8), /boot/loader.conf ) ? > > With 13.5, or upcoming 14.3 ( you can also experiment latest stable/14 ), y= > ou can turn the loader tunable net.pf.default_to_drop to 1, and preload pf.= > ko. > See also https://cgit.freebsd.org/src/commit/?id=3Dc531c1d1462c45f7ce5de4f9= > 913226801f3073bd . > > > After looking thru the online documentation, forums and scripts, I came to = > the conclusion that it's not a PF problem or IPFW etc > or really a problem with any of the filters or scripts, the problem is at t= > he level of PFIL, the kernel packet filtering code: If no > filter is loaded, i.e. if the heads are unhooked, then PFIL sends everythin= > g thru to its destination. So my thought > was to add an option PFIL_DEFAULT_TO_DROP (in essence a PFIL version of PF_= > DEFAULT_TO_DROP) that drops all the > IPv4 and IPv6 packets that would otherwise go thru the yet-to-be-loaded cho= > sen filter (PF or whatever) at any given time the > hooks are unhooked. > > If no firewalls loaded, then the system should behave as is. I do not think= > PFIL_DEFAULT_TO_DROP is the right way to handle your case. > > > [No one filters on local loopback nor the link layer, so I've left those ho= > oks untouched. I suppose one could add them, > maybe PFIL_DEFAULT_LOCAL_TO_DROP or PFIL_DEFAULT_LINK_TO_DROP, but I doubt = > there's much demand for it.] > > Normally I'm an embedded linux kernel basher. > I'm not entirely sure where to send this patch. Most of the threads asking = > the above PF questions are closed to changes, > so that doesn't seem a good place. Sir Dice seems to be a common answerer o= > f questions; I would have sent it to him/her > if I could... > > I'm not a user of GIT, so I'm not sure how to submit a "GIT formatted patch= > "... > I've simply diff -rdpNU 5 a copy of the @old folder with a copy of @new fol= > der. The code was written against FreeBSD-14.1-RELEASE-amd64, > but I suspect the kernel code in the networking core doesn't change much fr= > om platform to platform, or version to version. > > But it works, it's pretty simple, pretty small and so just in case it might= > be useful, I'm passing it along. > > thanks! > > > Robert > > > > > > > > > > --_000_QB1PPF4C719E46AFADEAB65EB14D2627AABEFB42QB1PPF4C719E46A_ > Content-Type: text/html; charset="us-ascii" > Content-Transfer-Encoding: quoted-printable > > > > > > > > >
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c= > olor: rgb(0, 0, 0);"> > "Maybe we also want a loader tunable to enable pf(4) on load" v> >
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c= > olor: rgb(0, 0, 0);"> >
>
>
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c= > olor: rgb(0, 0, 0);"> > Seems a complicated way to do a simple thing. imho.
>
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c= > olor: rgb(0, 0, 0);"> >
>
>
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c= > olor: rgb(0, 0, 0);"> > Did you happen to look at my tiny patch?
>
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c= > olor: rgb(0, 0, 0);"> > There are already a bunch of macros  (PFIL_HOOKED_IN, PFIL_HOOKED_OUT)= > defined depending on the inclusion of INET v4 or 6.
>
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c= > olor: rgb(0, 0, 0);"> > I just cloned them as ... _UNHOOKED_ ..., and made them the NOT of the H= > OOKED_ one, or FALSE when INET v4 or 6 is excluded 
>
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c= > olor: rgb(0, 0, 0);"> > or if PFIL_DEFAULT_TO_DROP isn't defined. 
>
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c= > olor: rgb(0, 0, 0);"> >
>
>
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c= > olor: rgb(0, 0, 0);"> > Then whereever the existing PFIL_HOOKED_IN/OUT_46 macros are used, prior to= > calling the filter hook, I just
>
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c= > olor: rgb(0, 0, 0);"> > inserted a PFIL_UNHOOKED_IN/OUT_46 check, and a 'goto drop' instead of the = > 'goto passin/out' for the 7 occurances
>
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c= > olor: rgb(0, 0, 0);"> > in if_gateway and the 3 in the NETINET code (ip_input, ip_output, ip_fastfw= > d) and the 4 in the NETINET6 code (same as netinet4 plus  ip6_foward).= >
>
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c= > olor: rgb(0, 0, 0);"> >
>
>
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c= > olor: rgb(0, 0, 0);"> > easy peasy.
>
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c= > olor: rgb(0, 0, 0);"> > I spend 10x more time messing with the kernel Makefile + CONF structure tha= > n with my changes lol.
>
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c= > olor: rgb(0, 0, 0);"> >
>
>
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c= > olor: rgb(0, 0, 0);"> >
>
>
>
>
yle=3D"font-size:11pt" color=3D"#000000">From: Zhenlei Huang <zle= > i@FreeBSD.org>
> Sent: April 9, 2025 1:48 AM
> To: Robert Austen <robert.austen@willowglensystems.com>
> Cc: freebsd-current@freebsd.org <freebsd-current@freebsd.org>;= > freebsd-net@freebsd.org <freebsd-net@freebsd.org>; Kristof Provost &= > lt;kp@FreeBSD.org>; Cy Schubert <cy@freebsd.org>
> Subject: Re: pfil_default_to_drop >
 
>
>
"> > n=3D"left" style=3D"background:revert!important; border:revert!important; b= > ottom:revert!important; color:revert!important; direction:revert!important;= > display:revert!important; font-size:revert!important; height:revert!import= > ant; letter-spacing:revert!important; line-height:revert!important; margin:= > revert!important; opacity:revert!important; order:revert!important; outline= > :revert!important; overflow:revert!important; padding:revert!important; pos= > ition:revert!important; tab-size:revert!important; table-layout:revert!impo= > rtant; text-align:revert!important; text-indent:revert!important; text-orie= > ntation:revert!important; text-overflow:revert!important; text-transform:re= > vert!important; top:revert!important; vertical-align:revert!important; visi= > bility:revert!important; white-space:revert!important; width:revert!importa= > nt; word-break:revert!important; word-spacing:revert!important; writing-mod= > e:revert!important; zoom:revert!important; border:0!important; display:tabl= > e!important; width:100%!important; table-layout:fixed!important; border-col= > lapse:seperate!important; float:none!important; border-spacing:0px 0px!impo= > rtant"> > m:revert!important; color:revert!important; direction:revert!important; dis= > play:revert!important; font-size:revert!important; height:revert!important;= > letter-spacing:revert!important; line-height:revert!important; margin:reve= > rt!important; opacity:revert!important; order:revert!important; outline:rev= > ert!important; overflow:revert!important; padding:revert!important; positio= > n:revert!important; tab-size:revert!important; table-layout:revert!importan= > t; text-align:revert!important; text-indent:revert!important; text-orientat= > ion:revert!important; text-overflow:revert!important; text-transform:revert= > !important; top:revert!important; vertical-align:revert!important; visibili= > ty:revert!important; white-space:revert!important; width:revert!important; = > word-break:revert!important; word-spacing:revert!important; writing-mode:re= > vert!important; zoom:revert!important; display:block!important"> > evert!important; color:revert!important; direction:revert!important; displa= > y:revert!important; font-size:revert!important; height:revert!important; le= > tter-spacing:revert!important; line-height:revert!important; margin:revert!= > important; opacity:revert!important; order:revert!important; outline:revert= > !important; overflow:revert!important; padding:revert!important; position:r= > evert!important; tab-size:revert!important; table-layout:revert!important; = > text-align:revert!important; text-indent:revert!important; text-orientation= > :revert!important; text-overflow:revert!important; text-transform:revert!im= > portant; top:revert!important; vertical-align:revert!important; visibility:= > revert!important; white-space:revert!important; width:revert!important; wor= > d-break:revert!important; word-spacing:revert!important; writing-mode:rever= > t!important; zoom:revert!important"> > > > > > >
2px 7px 2px" style=3D"background:revert!important; border:revert!important;= > bottom:revert!important; color:revert!important; direction:revert!importan= > t; display:revert!important; font-size:revert!important; height:revert!impo= > rtant; letter-spacing:revert!important; line-height:revert!important; margi= > n:revert!important; opacity:revert!important; order:revert!important; outli= > ne:revert!important; overflow:revert!important; padding:revert!important; p= > osition:revert!important; tab-size:revert!important; table-layout:revert!im= > portant; text-align:revert!important; text-indent:revert!important; text-or= > ientation:revert!important; text-overflow:revert!important; text-transform:= > revert!important; top:revert!important; vertical-align:revert!important; vi= > sibility:revert!important; white-space:revert!important; width:revert!impor= > tant; word-break:revert!important; word-spacing:revert!important; writing-m= > ode:revert!important; zoom:revert!important; padding:7px 2px 7px 2px!import= > ant; background-color:#A6A6A6!important; width:0px!important"> > 5px 7px 15px" color=3D"#212121" style=3D"background:revert!important; bord= > er:revert!important; bottom:revert!important; color:revert!important; direc= > tion:revert!important; display:revert!important; font-size:revert!important= > ; height:revert!important; letter-spacing:revert!important; line-height:rev= > ert!important; margin:revert!important; opacity:revert!important; order:rev= > ert!important; outline:revert!important; overflow:revert!important; padding= > :revert!important; position:revert!important; tab-size:revert!important; ta= > ble-layout:revert!important; text-align:revert!important; text-indent:rever= > t!important; text-orientation:revert!important; text-overflow:revert!import= > ant; text-transform:revert!important; top:revert!important; vertical-align:= > revert!important; visibility:revert!important; white-space:revert!important= > ; width:revert!important; word-break:revert!important; word-spacing:revert!= > important; writing-mode:revert!important; zoom:revert!important; width:100%= > !important; background-color:#EAEAEA!important; padding:7px 5px 7px 15px!im= > portant; font-family:wf_segoe-ui_normal,Segoe UI,Segoe WP,Tahoma,Arial,sans= > -serif!important; font-size:12px!important; font-weight:normal!important; c= > olor:#212121!important; text-align:left!important; word-wrap:break-word!imp= > ortant"> >
revert!important; color:revert!important; direction:revert!important; displ= > ay:revert!important; font-size:revert!important; height:revert!important; l= > etter-spacing:revert!important; line-height:revert!important; margin:revert= > !important; opacity:revert!important; order:revert!important; outline:rever= > t!important; overflow:revert!important; padding:revert!important; position:= > revert!important; tab-size:revert!important; table-layout:revert!important;= > text-align:revert!important; text-indent:revert!important; text-orientatio= > n:revert!important; text-overflow:revert!important; text-transform:revert!i= > mportant; top:revert!important; vertical-align:revert!important; visibility= > :revert!important; white-space:revert!important; width:revert!important; wo= > rd-break:revert!important; word-spacing:revert!important; writing-mode:reve= > rt!important; zoom:revert!important"> > You don't often get email from zlei@freebsd.org. LearnAboutSenderIdentification" style=3D"background:revert!important; color= > :revert!important; direction:revert!important; display:revert!important; fo= > nt-size:revert!important; opacity:revert!important; visibility:revert!impor= > tant"> > Learn why this is important
> 		lpadding=3D"7px 5px 7px 5px" color=3D"#212121" style=3D"background:revert!i= > mportant; border:revert!important; bottom:revert!important; color:revert!im= > portant; direction:revert!important; display:revert!important; font-size:re= > vert!important; height:revert!important; letter-spacing:revert!important; l= > ine-height:revert!important; margin:revert!important; opacity:revert!import= > ant; order:revert!important; outline:revert!important; overflow:revert!impo= > rtant; padding:revert!important; position:revert!important; tab-size:revert= > !important; table-layout:revert!important; text-align:revert!important; tex= > t-indent:revert!important; text-orientation:revert!important; text-overflow= > :revert!important; text-transform:revert!important; top:revert!important; v= > ertical-align:revert!important; visibility:revert!important; white-space:re= > vert!important; width:revert!important; word-break:revert!important; word-s= > pacing:revert!important; writing-mode:revert!important; zoom:revert!importa= > nt; width:75px!important; background-color:#EAEAEA!important; padding:7px 5= > px 7px 5px!important; font-family:wf_segoe-ui_normal,Segoe UI,Segoe WP,Taho= > ma,Arial,sans-serif!important; font-size:12px!important; font-weight:normal= > !important; color:#212121!important; text-align:left!important; word-wrap:b= > reak-word!important"> >
>

>

>
>
On Apr 9, 2025, at 1:01 AM, Robert Austen < ilto:robert.austen@willowglensystems.com" class=3D"">robert.austen@willowgl= > ensystems.com> wrote:
>
>
>
ps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-i= > ndent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-= > decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,C= > alibri,Helvetica,sans-serif; font-size:12pt"> > I respectfully disagree.
>
ps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-i= > ndent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-= > decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,C= > alibri,Helvetica,sans-serif; font-size:12pt"> >
>
>
ps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-i= > ndent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-= > decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,C= > alibri,Helvetica,sans-serif; font-size:12pt"> > PF_DEFAULT_TO_DROP has no effect if pfctl does not perform its ioctl call t= > o enable itself, ie. to apply any hooks.
>
ps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-i= > ndent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-= > decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,C= > alibri,Helvetica,sans-serif; font-size:12pt"> > if pfctl fails, then the hooks are left unhooked, and EVERYTHING defaults t= > o PASS, which is not what most people would intend using PF_DEFAULT_TO_DROP= > .
>
>
>

>
>
Ahh, I see your problem. Yes, you're right. pf(4) requires ioctl (&nbs= > p;DIOCSTART ) or netlink command to enable it.
>

>
>
@Kristof Maybe we also want a loader tunable to enable pf(4) on load ?= >
>
>
>
>
ps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-i= > ndent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-= > decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,C= > alibri,Helvetica,sans-serif; font-size:12pt"> >
>
>
ps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-i= > ndent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-= > decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,C= > alibri,Helvetica,sans-serif; font-size:12pt"> > consider this: until pf or ipf or ipfw makes an ioctl to hook themselves, t= > he pfil layer in the kernel has no idea what the filter will be,
>
ps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-i= > ndent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-= > decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,C= > alibri,Helvetica,sans-serif; font-size:12pt"> > assuming there even is one. thus PF_DEFAULT_TO_DROP  has zero effect (= > and likewise the equivalents from the other filters).
>
>
>

>
>
As for ipfw(4), by default it enables filtering on load, unless you di= > sable it via loader tunable `net.inet.ip.fw.enable`, `net.inet6.ip6.fw.enab= > le` and `net.link.ether.ipfw`.
>

>
>
The compile option IPFIREWALL_DEFAULT_TO_ACCEPT or loader tunable= > `net.inet.ip.fw.default_to_accept` controls the default behavior to drop o= > r accept.
> >
>
>
>
ps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-i= > ndent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-= > decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,C= > alibri,Helvetica,sans-serif; font-size:12pt"> >
>
>
ps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-i= > ndent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-= > decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,C= > alibri,Helvetica,sans-serif; font-size:12pt"> > as I said, this is because there's no mechanism within PFIL to drop by defa= > ult, which is why I proposed (and am using on my system) the PFIL_DEFAULT_T= > O_DROP,
>
ps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-i= > ndent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-= > decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,C= > alibri,Helvetica,sans-serif; font-size:12pt"> > because it handles ALL of the 'no filter installed (yet)' cases. if PFIL_DE= > FAULT_TO_DROP isn't in the kernel config file, my patches have no effect at= > all,
>
ps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-i= > ndent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-= > decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,C= > alibri,Helvetica,sans-serif; font-size:12pt"> > so it's a simple mechanism for those that want more than PF_DEFAULT_TO_DROP= > can ever provide.
>
>
>

>
>
It appears ipf(4) unconditionally enable filtering on load, and does n= > ot have any tunables to control that. CC @Cy who is more familiar with ipf(= > 4).
>
>
>
>
ps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-i= > ndent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-= > decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,C= > alibri,Helvetica,sans-serif; font-size:12pt"> >
>
>
ps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-i= > ndent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-= > decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,C= > alibri,Helvetica,sans-serif; font-size:12pt"> > thanks!
>
size:13px; font-style:normal; font-variant-caps:normal; font-weight:400; le= > tter-spacing:normal; text-align:start; text-indent:0px; text-transform:none= > ; white-space:normal; word-spacing:0px; text-decoration:none"> >
>
px; font-style:normal; font-variant-caps:normal; font-weight:400; letter-sp= > acing:normal; text-align:start; text-indent:0px; text-transform:none; white= > -space:normal; word-spacing:0px; text-decoration:none; display:inline-block= > ; width:563.5px"> > :normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; = > text-align:start; text-indent:0px; text-transform:none; white-space:normal;= > word-spacing:0px; text-decoration:none; float:none; display:inline!importa= > nt"> >
vetica; font-size:13px; font-style:normal; font-variant-caps:normal; font-w= > eight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-t= > ransform:none; white-space:normal; word-spacing:0px; text-decoration:none"> > lass=3D"">From: Zhe= > nlei Huang <zlei@FreeBSD.= > org>
> Sent:  >April 7, 2025 7:55 PM
> To: R= > obert Austen < ss=3D"">robert.austen@willowglensystems.com>
> Cc: <= > a href=3D"mailto:freebsd-current@freebsd.org" class=3D"">freebsd-current@fr= > eebsd.org < ef=3D"mailto:freebsd-current@freebsd.org" class=3D"">freebsd-current@freebs= > d.org>;  =3D"mailto:freebsd-net@freebsd.org" class=3D"">freebsd-net@freebsd.org<= > span class=3D"x_Apple-converted-space"> < reebsd-net@freebsd.org" class=3D"">freebsd-net@freebsd.org>; > Kristof Provost <kp@FreeBS= > D.org>
> Subject:  pan>Re: pfil_default_to_drop >
 
>
>
normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; t= > ext-align:start; text-indent:0px; text-transform:none; white-space:normal; = > word-spacing:0px; text-decoration:none; word-wrap:break-word; line-break:af= > ter-white-space"> > n=3D"left" class=3D"" style=3D"background-image:revert!important; backgroun= > d-size:revert!important; background-attachment:revert!important; background= > -origin:revert!important; background-clip:revert!important; background-colo= > r:revert!important; bottom:revert!important; color:revert!important; direct= > ion:revert!important; font-size:revert!important; height:revert!important; = > letter-spacing:revert!important; line-height:revert!important; margin:rever= > t!important; opacity:revert!important; order:revert!important; outline:reve= > rt!important; overflow:revert!important; padding:revert!important; position= > :revert!important; tab-size:revert!important; text-align:revert!important; = > text-indent:revert!important; text-orientation:revert!important; text-overf= > low:revert!important; text-transform:revert!important; top:revert!important= > ; vertical-align:revert!important; visibility:revert!important; white-space= > :revert!important; word-break:revert!important; word-spacing:revert!importa= > nt; writing-mode:revert!important; zoom:revert!important; border:0px!import= > ant; display:table!important; width:575px; table-layout:fixed!important; fl= > oat:none!important; border-spacing:0px!important; background-position:rever= > t!important; background-repeat:revert!important"> > ze:revert!important; background-attachment:revert!important; background-ori= > gin:revert!important; background-clip:revert!important; background-color:re= > vert!important; border:revert!important; bottom:revert!important; color:rev= > ert!important; direction:revert!important; font-size:revert!important; heig= > ht:revert!important; letter-spacing:revert!important; line-height:revert!im= > portant; margin:revert!important; opacity:revert!important; order:revert!im= > portant; outline:revert!important; overflow:revert!important; padding:rever= > t!important; position:revert!important; tab-size:revert!important; table-la= > yout:revert!important; text-align:revert!important; text-indent:revert!impo= > rtant; text-orientation:revert!important; text-overflow:revert!important; t= > ext-transform:revert!important; top:revert!important; vertical-align:revert= > !important; visibility:revert!important; white-space:revert!important; widt= > h:revert!important; word-break:revert!important; word-spacing:revert!import= > ant; writing-mode:revert!important; zoom:revert!important; display:block!im= > portant; background-position:revert!important; background-repeat:revert!imp= > ortant"> > revert!important; background-attachment:revert!important; background-origin= > :revert!important; background-clip:revert!important; background-color:rever= > t!important; border:revert!important; bottom:revert!important; color:revert= > !important; direction:revert!important; display:revert!important; font-size= > :revert!important; height:revert!important; letter-spacing:revert!important= > ; line-height:revert!important; margin:revert!important; opacity:revert!imp= > ortant; order:revert!important; outline:revert!important; overflow:revert!i= > mportant; padding:revert!important; position:revert!important; tab-size:rev= > ert!important; table-layout:revert!important; text-align:revert!important; = > text-indent:revert!important; text-orientation:revert!important; text-overf= > low:revert!important; text-transform:revert!important; top:revert!important= > ; vertical-align:revert!important; visibility:revert!important; white-space= > :revert!important; width:revert!important; word-break:revert!important; wor= > d-spacing:revert!important; writing-mode:revert!important; zoom:revert!impo= > rtant; background-position:revert!important; background-repeat:revert!impor= > tant"> > > > > > >
2px 7px 2px" class=3D"" style=3D"background-image:revert!important; backgro= > und-size:revert!important; background-attachment:revert!important; backgrou= > nd-origin:revert!important; background-clip:revert!important; border:revert= > !important; bottom:revert!important; color:revert!important; direction:reve= > rt!important; display:revert!important; font-size:revert!important; height:= > revert!important; letter-spacing:revert!important; line-height:revert!impor= > tant; margin:revert!important; opacity:revert!important; order:revert!impor= > tant; outline:revert!important; overflow:revert!important; position:revert!= > important; tab-size:revert!important; table-layout:revert!important; text-a= > lign:revert!important; text-indent:revert!important; text-orientation:rever= > t!important; text-overflow:revert!important; text-transform:revert!importan= > t; top:revert!important; vertical-align:revert!important; visibility:revert= > !important; white-space:revert!important; word-break:revert!important; word= > -spacing:revert!important; writing-mode:revert!important; zoom:revert!impor= > tant; padding:7px 2px!important; background-color:rgb(166,166,166)!importan= > t; width:0px!important; background-position:revert!important; background-re= > peat:revert!important"> > 5px 7px 15px" class=3D"" style=3D"background-image:revert!important; backg= > round-size:revert!important; background-attachment:revert!important; backgr= > ound-origin:revert!important; background-clip:revert!important; border:reve= > rt!important; bottom:revert!important; direction:revert!important; display:= > revert!important; height:revert!important; letter-spacing:revert!important;= > line-height:revert!important; margin:revert!important; opacity:revert!impo= > rtant; order:revert!important; outline:revert!important; overflow:revert!im= > portant; position:revert!important; tab-size:revert!important; table-layout= > :revert!important; text-indent:revert!important; text-orientation:revert!im= > portant; text-overflow:revert!important; text-transform:revert!important; t= > op:revert!important; vertical-align:revert!important; visibility:revert!imp= > ortant; white-space:revert!important; word-break:revert!important; word-spa= > cing:revert!important; writing-mode:revert!important; zoom:revert!important= > ; width:541px; background-color:rgb(234,234,234)!important; padding:7px 5px= > 7px 15px!important; font-family:wf_segoe-ui_normal,"Segoe UI",&q= > uot;Segoe WP",Tahoma,Arial,sans-serif!important; font-size:12px!import= > ant; font-weight:normal!important; color:rgb(33,33,33)!important; text-alig= > n:left!important; word-wrap:break-word!important; background-position:rever= > t!important; background-repeat:revert!important"> >
:revert!important; background-attachment:revert!important; background-origi= > n:revert!important; background-clip:revert!important; background-color:reve= > rt!important; border:revert!important; bottom:revert!important; color:rever= > t!important; direction:revert!important; display:revert!important; font-siz= > e:revert!important; height:revert!important; letter-spacing:revert!importan= > t; line-height:revert!important; margin:revert!important; opacity:revert!im= > portant; order:revert!important; outline:revert!important; overflow:revert!= > important; padding:revert!important; position:revert!important; tab-size:re= > vert!important; table-layout:revert!important; text-align:revert!important;= > text-indent:revert!important; text-orientation:revert!important; text-over= > flow:revert!important; text-transform:revert!important; top:revert!importan= > t; vertical-align:revert!important; visibility:revert!important; white-spac= > e:revert!important; width:revert!important; word-break:revert!important; wo= > rd-spacing:revert!important; writing-mode:revert!important; zoom:revert!imp= > ortant; background-position:revert!important; background-repeat:revert!impo= > rtant"> > You don't often get email from = > ;zlei@freebsd.org= > .  a.ms/LearnAboutSenderIdentification" class=3D"" style=3D"background-image:r= > evert!important; background-size:revert!important; background-attachment:re= > vert!important; background-origin:revert!important; background-clip:revert!= > important; background-color:revert!important; color:revert!important; direc= > tion:revert!important; display:revert!important; font-size:revert!important= > ; opacity:revert!important; visibility:revert!important; background-positio= > n:revert!important; background-repeat:revert!important">Learn > why this is important
> 		lpadding=3D"7px 5px 7px 5px" class=3D"" style=3D"background-image:revert!im= > portant; background-size:revert!important; background-attachment:revert!imp= > ortant; background-origin:revert!important; background-clip:revert!importan= > t; border:revert!important; bottom:revert!important; direction:revert!impor= > tant; display:revert!important; height:revert!important; letter-spacing:rev= > ert!important; line-height:revert!important; margin:revert!important; opaci= > ty:revert!important; order:revert!important; outline:revert!important; over= > flow:revert!important; position:revert!important; tab-size:revert!important= > ; table-layout:revert!important; text-indent:revert!important; text-orienta= > tion:revert!important; text-overflow:revert!important; text-transform:rever= > t!important; top:revert!important; vertical-align:revert!important; visibil= > ity:revert!important; white-space:revert!important; word-break:revert!impor= > tant; word-spacing:revert!important; writing-mode:revert!important; zoom:re= > vert!important; width:75px!important; background-color:rgb(234,234,234)!imp= > ortant; padding:7px 5px!important; font-family:wf_segoe-ui_normal,"Seg= > oe UI","Segoe WP",Tahoma,Arial,sans-serif!important; font-si= > ze:12px!important; font-weight:normal!important; color:rgb(33,33,33)!import= > ant; text-align:left!important; word-wrap:break-word!important; background-= > position:revert!important; background-repeat:revert!important"> >
>

>

>
>
On Apr 8, 2025, at 6:36 AM, Robert Austen < ilto:robert.austen@willowglensystems.com" class=3D"">robert.austen@willowgl= > ensystems.com> wrote:
>
>
>
weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica= > ,sans-serif; font-size:12pt"> >
>
>
>
t-size:13px; font-style:normal; font-variant-caps:normal; font-weight:400; = > letter-spacing:normal; text-align:start; text-indent:0px; text-transform:no= > ne; white-space:normal; word-spacing:0px; text-decoration:none"> >
>
ormal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; te= > xt-align:start; text-indent:0px; text-transform:none; white-space:normal; w= > ord-spacing:0px; text-decoration:none; display:inline-block; width:576.2343= > 75px"> > :normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; = > text-align:start; text-indent:0px; text-transform:none; white-space:normal;= > word-spacing:0px; text-decoration:none; float:none; display:inline!importa= > nt"> >
elvetica; font-size:13px; font-style:normal; font-variant-caps:normal; font= > -weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text= > -transform:none; white-space:normal; word-spacing:0px; text-decoration:none= > "> > <= > b class=3D"">From: Robert Austen < en@willowglensystems.com" class=3D"">robert.austen@willowglensystems.com >>
> Sent: April 7, 2025 4:33 PM
> To:  lass=3D"">freebsd-current@freebsd.org -space"> < ss=3D"">freebsd-current@freebsd.org>; ted-space">  "">freebsd-net@freebsd.org&nb= > sp;<freebsd= > -net@freebsd.org>
> Subject: Fw: pfil_default_to_drop >
 
>
>
weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> >
>
>
ont-size:13px; font-style:normal; font-variant-caps:normal; font-weight:400= > ; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:= > none; white-space:normal; word-spacing:0px; text-decoration:none"> >
>
ormal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; te= > xt-align:start; text-indent:0px; text-transform:none; white-space:normal; w= > ord-spacing:0px; text-decoration:none; direction:ltr; display:inline-block;= > width:576.234375px"> > :normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; = > text-align:start; text-indent:0px; text-transform:none; white-space:normal;= > word-spacing:0px; text-decoration:none; float:none; display:inline!importa= > nt"> >
:Helvetica; font-size:13px; font-style:normal; font-variant-caps:normal; fo= > nt-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; te= > xt-transform:none; white-space:normal; word-spacing:0px; text-decoration:no= > ne"> > <= > b class=3D"">From: Robert Austen
> Sent: April 7, 2025 4:21 PM
> To:  lass=3D"">freebsd-current@freebsd.org -space"> < ss=3D"">freebsd-current@freebsd.org>
> Subject: pfil_default_to_drop >
 
>
>
weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > Hello,
>
weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > I've been playing with FreeBSD and PF to build myself a new firewall, as Op= > en/FreeBSD + PF seems to be a common starting point.
>
weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> >
>
>
weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > I've noticed a number of people asking questions about PF_DEFAULT_TO_DROP a= > nd the like, with the observations that it's hard
>
weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > to ensure that packets all default to drop if the rule file(s) for whatever= > reason fail to load. 
>
>
>

>
>
Hi Robert,
>

>
>
So why not defining the compile option PF_DEFAULT_TO_D= > ROP, and preload pf.ko ( via the loader(8)= > , /boot/loader.conf ) ? > >

>
>
With 13.5, or upcoming 14.3 ( you can also= >  experiment latest stable/14 ), you can d-space"> turn the loader tu= > nable net.pf.default_to_drop to 1, and  yle=3D"">preload pf.ko. > >
See also  t/?id=3Dc531c1d1462c45f7ce5de4f9913226801f3073bd" class=3D"">https://cgit.f= > reebsd.org/src/commit/?id=3Dc531c1d1462c45f7ce5de4f9913226801f3073bd&nb= > sp;.
>

>
>
>
>
weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> >
>
>
weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > After looking thru the online documentation, forums and scripts, I came to = > the conclusion that it's not a PF problem or IPFW etc
>
weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > or really a problem with any of the filters or scripts, the problem is at t= > he level of PFIL, the kernel packet filtering code: If no
>
weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > filter is loaded, i.e. if the heads are unhooked, then PFIL sends s=3D"x_x_Apple-converted-space"> everything&n= > bsp;thru to its destination. So my thought 
>
weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > was to add an option PFIL_DEFAULT_TO_DROP (in essence a PFIL version of PF_= > DEFAULT_TO_DROP) that drops all the
>
weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > IPv4 and IPv6 packets that would otherwise go thru the yet-to-be-loaded cho= > sen filter (PF or whatever) at any given time the 
>
weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > hooks are  unhooked. 
>
>
>

>
>
If no firewalls loaded, then the system should behave as is= > . I do not think PFIL_DEFAULT_TO_DROP is the right way to handle your = > case.
>
>
>
>
weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> >
>
>
weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > [No one filters on local loopback nor the link layer, so I've left those ho= > oks untouched. I suppose one could add them,
>
weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > maybe PFIL_DEFAULT_LOCAL_TO_DROP or PFIL_DEFAULT_LINK_TO_DROP, but I doubt = > there's much demand for it.]
>
weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> >
>
>
weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > Normally I'm an embedded linux kernel basher.
>
weight:400; letter-spacing:normal; text-indent:0px; text-transform:none; wh= > ite-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; te= > xt-align:left; margin:0px; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFon= > tService,Calibri,Helvetica,sans-serif; font-size:12pt"> > I'm not entirely sure where to send this patch. Most of the threads asking = > the above PF questions are closed to changes,
>
weight:400; letter-spacing:normal; text-indent:0px; text-transform:none; wh= > ite-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; te= > xt-align:left; margin:0px; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFon= > tService,Calibri,Helvetica,sans-serif; font-size:12pt"> > so that doesn't seem a good place. Sir Dice seems to be a common answerer o= > f questions; I would have sent it to him/her 
>
weight:400; letter-spacing:normal; text-indent:0px; text-transform:none; wh= > ite-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; te= > xt-align:left; margin:0px; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFon= > tService,Calibri,Helvetica,sans-serif; font-size:12pt"> > if I could...
>
weight:400; letter-spacing:normal; text-indent:0px; text-transform:none; wh= > ite-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; te= > xt-align:left; margin:0px; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFon= > tService,Calibri,Helvetica,sans-serif; font-size:12pt"> >
>
>
weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > I'm not a user of GIT, so I'm not sure how to submit a "GIT formatted = > patch"...
>
weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > I've simply diff -rdpNU 5 a copy of the @old folder with a copy of @new fol= > der. The code was written against FreeBSD-14.1-RELEASE-amd64,
>
weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > but I suspect the kernel code in the networking core doesn't change much fr= > om platform to platform, or version to version.
>
weight:400; letter-spacing:normal; text-indent:0px; text-transform:none; wh= > ite-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; te= > xt-align:left; margin:0px; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFon= > tService,Calibri,Helvetica,sans-serif; font-size:12pt"> >
>
>
weight:400; letter-spacing:normal; text-indent:0px; text-transform:none; wh= > ite-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; te= > xt-align:left; margin:0px; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFon= > tService,Calibri,Helvetica,sans-serif; font-size:12pt"> > But it works, it's pretty simple, pretty small and so just in case it might= > be useful, I'm passing it along.
>
weight:400; letter-spacing:normal; text-indent:0px; text-transform:none; wh= > ite-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; te= > xt-align:left; margin:0px; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFon= > tService,Calibri,Helvetica,sans-serif; font-size:12pt"> >
>
>
weight:400; letter-spacing:normal; text-indent:0px; text-transform:none; wh= > ite-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; te= > xt-align:left; margin:0px; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFon= > tService,Calibri,Helvetica,sans-serif; font-size:12pt"> > thanks!
>
weight:400; letter-spacing:normal; text-indent:0px; text-transform:none; wh= > ite-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; te= > xt-align:left; margin:0px; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFon= > tService,Calibri,Helvetica,sans-serif; font-size:12pt"> >
>
>
weight:400; letter-spacing:normal; text-indent:0px; text-transform:none; wh= > ite-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; te= > xt-align:left; margin:0px; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFon= > tService,Calibri,Helvetica,sans-serif; font-size:12pt"> >
>
>
weight:400; letter-spacing:normal; text-indent:0px; text-transform:none; wh= > ite-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; te= > xt-align:left; margin:0px; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFon= > tService,Calibri,Helvetica,sans-serif; font-size:12pt"> > Robert
>
weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> >
>
>
weight:400; letter-spacing:normal; text-indent:0px; text-transform:none; wh= > ite-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; te= > xt-align:left; margin:0px; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFon= > tService,Calibri,Helvetica,sans-serif; font-size:12pt"> >
>
>
weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> >
>
>
weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> >
>
> <Fr= > eeBSD-14.1-RELEASE-amd64-pfil_default_to_drop.patch.zip>
>
>
>
>
>
>
>
>
>
>

>
>
>
>
>
> > > > --_000_QB1PPF4C719E46AFADEAB65EB14D2627AABEFB42QB1PPF4C719E46A_--