From nobody Mon Jan 5 20:01:28 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dlQD915Zsz6MyJq for ; Mon, 05 Jan 2026 20:01:29 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dlQD84hB9z3Fmt for ; Mon, 05 Jan 2026 20:01:28 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1767643288; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=cFgabo4NJfl5+Z+YurZk0Jhuuaqn/6jFHBnmyTBwnOU=; b=o5qtEh1v9aDs9Lgh77d9yC1LnBk6sjEMkhg0jti2EiGDO/n2L5Z/dPPhT9Uc7PCeJGG08z 1R4/igDT2MXdi9Gja/F9p6k82n7so8bUbZmjunK3JvudZPpCgHh6p42hMMrMzMfYjDfQpU xY/r0r18+J4WRyuuzA0GEu8IuqcXSLpBYyof8r6fvnLrHYMZmfLMhdHybP2zRLTMMsO0Mr f177JqyS8iyq/ZQG1QH7c97rX5JUMyaBdyXJCfRAJ0/wayJDEQlNhw4len6Lx3zr0cJkHG Tzqxv7XSDoRuuun8wi1TD8JRsL+U3XLh+JSe85GHi5FnY31lyaDTSFcbKtacYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1767643288; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=cFgabo4NJfl5+Z+YurZk0Jhuuaqn/6jFHBnmyTBwnOU=; b=e7FZB/3HEjjnIa/5Hy+dKADWNwJNnbNg+SyhFNydO4Tr22Ueu8aZjWZ2gJtxOTjIMG5Pr2 PMJ+dOStcflNVIWac9TKrg75Y0BlBsvyCLSXnPec9wo+0mOp32f9tE2vC/Kx2VtofhHrKq QttEBzuI8L8uYbYyR3V1siiJCYn1BbTZNQqhx/eQYeRvDzGmjMbLZV+pmKISSMp9KZPkY7 rBuFt0/0YnG87x2BnNe+2GRHfDjcQKVn0iQgUcc83bcq2dsjVeGiDzNpYlVVcY5OCS5eQw PdhF+EG5u/D134shBOoDnvT4s88jf2MkqxwsoPTgsvSrglUg46tJoHjGpm5ypQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1767643288; a=rsa-sha256; cv=none; b=w8cd0+o4A4W+d+sT3zQ6hizjQXUx1BfukunzUJ+wh03TYEmc1lqKOka3pv3gkHRP5Y+aDs l7ikg3BUVwP044w0Q0voVsGx1ACBBMVISMm0fLjyiWqUgJhDkzWXSUOO3ZCEPkWMFzOObx sBavbXPeRIpKLbIO1Ek0mJxzBYSm1xFAZl+QGoflmZGbPse6BfJ7ogCozENFvBIk0mpKGZ uoiNLco48xKVk59ag3/8tTRE45VdR+8DX0SbFFoNUzhojVR8ODydcper3bC+w5B+2SS5NL KyO10BwkxsFo1nS5KidTNWvlWsblfihRnPmXSaTs34LLn+T1b+nPgbpIRsW4iw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4dlQD847P6zbdJ for ; Mon, 05 Jan 2026 20:01:28 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 858c by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Mon, 05 Jan 2026 20:01:28 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Cy Schubert Subject: git: a85c3ef7d801 - stable/14 - ipfilter: Disable ipfs(8) by default List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: cy X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: a85c3ef7d80161da04241d275da804644cdc5347 Auto-Submitted: auto-generated Date: Mon, 05 Jan 2026 20:01:28 +0000 Message-Id: <695c1898.858c.7c8845cd@gitrepo.freebsd.org> The branch stable/14 has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=a85c3ef7d80161da04241d275da804644cdc5347 commit a85c3ef7d80161da04241d275da804644cdc5347 Author: Cy Schubert AuthorDate: 2025-11-16 07:39:19 +0000 Commit: Cy Schubert CommitDate: 2026-01-05 20:01:01 +0000 ipfilter: Disable ipfs(8) by default At the moment ipfs(8) is a tool that can be easily abused. Though the concept is sound the implementation needs some work. ipfs(8) should be considered experimental at the moment. This commit also makes ipfs support in the kernel optional. Reviewed by: emaste, glebius MFC after: 1 week Differential revision: https://reviews.freebsd.org/D53787 (cherry picked from commit 0ff0c19e7f70bc4d3f98196a8ad43de635cf13e5) --- sbin/ipf/Makefile | 6 +++++- share/mk/src.opts.mk | 1 + sys/conf/NOTES | 1 + sys/conf/options | 1 + sys/modules/ipfilter/Makefile | 6 ++++++ sys/netpfil/ipfilter/netinet/ip_nat.c | 5 ++++- sys/netpfil/ipfilter/netinet/ip_state.c | 4 ++++ tools/build/mk/OptionalObsoleteFiles.inc | 4 ++++ 8 files changed, 26 insertions(+), 2 deletions(-) diff --git a/sbin/ipf/Makefile b/sbin/ipf/Makefile index 32cead444f77..b64b09584b48 100644 --- a/sbin/ipf/Makefile +++ b/sbin/ipf/Makefile @@ -1,6 +1,10 @@ +.include SUBDIR= libipf .WAIT -SUBDIR+= ipf ipfs ipfstat ipmon ipnat ippool +SUBDIR+= ipf ipfstat ipmon ipnat ippool +.if ${MK_IPFILTER_IPFS} != "no" +SUBDIR+= ipfs +.endif # XXX Temporarily disconnected. # SUBDIR+= ipftest ipresend ipsend SUBDIR_PARALLEL= diff --git a/share/mk/src.opts.mk b/share/mk/src.opts.mk index 6395efc7469f..ee3784cecb4b 100644 --- a/share/mk/src.opts.mk +++ b/share/mk/src.opts.mk @@ -208,6 +208,7 @@ __DEFAULT_NO_OPTIONS = \ DTRACE_TESTS \ EXPERIMENTAL \ HESIOD \ + IPFILTER_IPFS \ LOADER_VERBOSE \ LOADER_VERIEXEC_PASS_MANIFEST \ LLVM_ASSERTIONS \ diff --git a/sys/conf/NOTES b/sys/conf/NOTES index 7ce26cb76820..410b5e79fee1 100644 --- a/sys/conf/NOTES +++ b/sys/conf/NOTES @@ -1042,6 +1042,7 @@ options IPFILTER #ipfilter support options IPFILTER_LOG #ipfilter logging options IPFILTER_LOOKUP #ipfilter pools options IPFILTER_DEFAULT_BLOCK #block all packets by default +options IPFILTER_IPFS #enable experimental ipfs(8) support options IPSTEALTH #support for stealth forwarding options PF_DEFAULT_TO_DROP #drop everything by default options TCPPCAP diff --git a/sys/conf/options b/sys/conf/options index 2becb1aaa7a3..6337eb14f6a4 100644 --- a/sys/conf/options +++ b/sys/conf/options @@ -450,6 +450,7 @@ IPFILTER opt_ipfilter.h IPFILTER_DEFAULT_BLOCK opt_ipfilter.h IPFILTER_LOG opt_ipfilter.h IPFILTER_LOOKUP opt_ipfilter.h +IPFILTER_IPFS opt_ipfilter.h IPFIREWALL opt_ipfw.h IPFIREWALL_DEFAULT_TO_ACCEPT opt_ipfw.h IPFIREWALL_NAT opt_ipfw.h diff --git a/sys/modules/ipfilter/Makefile b/sys/modules/ipfilter/Makefile index d2f32538b68b..969df7dfad84 100644 --- a/sys/modules/ipfilter/Makefile +++ b/sys/modules/ipfilter/Makefile @@ -1,3 +1,4 @@ +.include .PATH: ${SRCTOP}/sys/netpfil/ipfilter/netinet @@ -10,6 +11,11 @@ SRCS+= opt_bpf.h opt_inet6.h opt_kern_tls.h CFLAGS+= -I${SRCTOP}/sys/netpfil/ipfilter CFLAGS+= -DIPFILTER=1 -DIPFILTER_LKM -DIPFILTER_LOG -DIPFILTER_LOOKUP + +.if ${MK_IPFILTER_IPFS} != "no" +CFLAGS+= -DIPFILTER_IPFS +.endif + # # If you don't want log functionality remove -DIPFILTER_LOG # diff --git a/sys/netpfil/ipfilter/netinet/ip_nat.c b/sys/netpfil/ipfilter/netinet/ip_nat.c index a11eda2a6b85..4c7ede89d30e 100644 --- a/sys/netpfil/ipfilter/netinet/ip_nat.c +++ b/sys/netpfil/ipfilter/netinet/ip_nat.c @@ -1344,6 +1344,7 @@ ipf_nat_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd, error = ipf_proxy_ioctl(softc, data, cmd, mode, ctx); break; +#ifdef IPFILTER_IPFS case SIOCSTLCK : if (!(mode & FWRITE)) { IPFERROR(60015); @@ -1379,6 +1380,7 @@ ipf_nat_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd, error = EACCES; } break; +#endif /* IPFILTER_IPFS */ case SIOCGENITER : { @@ -1686,7 +1688,7 @@ ipf_nat_siocdelnat(ipf_main_softc_t *softc, ipf_nat_softc_t *softn, ipnat_t *n, } } - +#ifdef IPFILTER_IPFS /* ------------------------------------------------------------------------ */ /* Function: ipf_nat_getsz */ /* Returns: int - 0 == success, != 0 is the error value. */ @@ -2254,6 +2256,7 @@ junkput: } return (error); } +#endif /* IPFILTER_IPFS */ /* ------------------------------------------------------------------------ */ diff --git a/sys/netpfil/ipfilter/netinet/ip_state.c b/sys/netpfil/ipfilter/netinet/ip_state.c index 88570273c588..bfb9b9eb19f3 100644 --- a/sys/netpfil/ipfilter/netinet/ip_state.c +++ b/sys/netpfil/ipfilter/netinet/ip_state.c @@ -713,6 +713,7 @@ ipf_state_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd, IPFOBJ_STATESTAT); break; +#ifdef IPFILTER_IPFS /* * Lock/Unlock the state table. (Locking prevents any changes, which * means no packets match). @@ -749,6 +750,7 @@ ipf_state_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd, } error = ipf_state_getent(softc, softs, data); break; +#endif /* IPFILTER_IPFS */ case SIOCGENITER : { @@ -805,6 +807,7 @@ ipf_state_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd, } +#ifdef IPFILTER_IPFS /* ------------------------------------------------------------------------ */ /* Function: ipf_state_getent */ /* Returns: int - 0 == success, != 0 == failure */ @@ -1009,6 +1012,7 @@ ipf_state_putent(ipf_main_softc_t *softc, ipf_state_softc_t *softs, return (error); } +#endif /* IPFILTER_IPFS */ /* ------------------------------------------------------------------------ */ diff --git a/tools/build/mk/OptionalObsoleteFiles.inc b/tools/build/mk/OptionalObsoleteFiles.inc index 8b2688f7e626..72e86b99799f 100644 --- a/tools/build/mk/OptionalObsoleteFiles.inc +++ b/tools/build/mk/OptionalObsoleteFiles.inc @@ -2684,6 +2684,10 @@ OLD_FILES+=usr/share/man/man8/ipnat.8.gz OLD_FILES+=usr/share/man/man8/ippool.8.gz .endif +.if ${MK_IPFILTER_IPFS} == no +OLD_FILES+=sbin/ipfs +.endif + .if ${MK_IPFW} == no OLD_FILES+=etc/rc.d/ipfw OLD_FILES+=etc/periodic/security/500.ipfwdenied