From owner-svn-src-all@FreeBSD.ORG Mon May 18 20:23:17 2009 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F37F3106566B; Mon, 18 May 2009 20:23:16 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id E081E8FC08; Mon, 18 May 2009 20:23:16 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n4IKNGC7073805; Mon, 18 May 2009 20:23:16 GMT (envelope-from jhb@svn.freebsd.org) Received: (from jhb@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id n4IKNGZ2073804; Mon, 18 May 2009 20:23:16 GMT (envelope-from jhb@svn.freebsd.org) Message-Id: <200905182023.n4IKNGZ2073804@svn.freebsd.org> From: John Baldwin Date: Mon, 18 May 2009 20:23:16 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org X-SVN-Group: stable-7 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r192336 - in stable/7/sys: . contrib/pf dev/ath/ath_hal dev/cxgb netinet X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 May 2009 20:23:17 -0000 Author: jhb Date: Mon May 18 20:23:16 2009 New Revision: 192336 URL: http://svn.freebsd.org/changeset/base/192336 Log: MFC: Convert IPFW_DEFAULT_TO_ACCEPT into a loader tunable. Modified: stable/7/sys/ (props changed) stable/7/sys/contrib/pf/ (props changed) stable/7/sys/dev/ath/ath_hal/ (props changed) stable/7/sys/dev/cxgb/ (props changed) stable/7/sys/netinet/ip_fw2.c Modified: stable/7/sys/netinet/ip_fw2.c ============================================================================== --- stable/7/sys/netinet/ip_fw2.c Mon May 18 19:56:06 2009 (r192335) +++ stable/7/sys/netinet/ip_fw2.c Mon May 18 20:23:16 2009 (r192336) @@ -111,6 +111,11 @@ static int fw_verbose; static struct callout ipfw_timeout; static int verbose_limit; +#ifdef IPFIREWALL_DEFAULT_TO_ACCEPT +static int default_to_accept = 1; +#else +static int default_to_accept; +#endif static uma_zone_t ipfw_dyn_rule_zone; /* @@ -170,6 +175,9 @@ SYSCTL_UINT(_net_inet_ip_fw, OID_AUTO, d NULL, IPFW_DEFAULT_RULE, "The default/max possible rule number."); SYSCTL_UINT(_net_inet_ip_fw, OID_AUTO, tables_max, CTLFLAG_RD, NULL, IPFW_TABLES_MAX, "The maximum number of tables."); +SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, default_to_accept, CTLFLAG_RDTUN, + &default_to_accept, 0, "Make the default rule accept all packets."); +TUNABLE_INT("net.inet.ip.fw.default_to_accept", &default_to_accept); #endif /* SYSCTL_NODE */ /* @@ -4514,11 +4522,7 @@ ipfw_init(void) default_rule.set = RESVD_SET; default_rule.cmd[0].len = 1; - default_rule.cmd[0].opcode = -#ifdef IPFIREWALL_DEFAULT_TO_ACCEPT - 1 ? O_ACCEPT : -#endif - O_DENY; + default_rule.cmd[0].opcode = default_to_accept ? O_ACCEPT : O_DENY; error = add_rule(&layer3_chain, &default_rule); if (error != 0) {