From nobody Mon Jan  5 20:00:36 2026
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dlQC85c8vz6MyTD
	for <dev-commits-src-all@mlmmj.nyi.freebsd.org>; Mon, 05 Jan 2026 20:00:36 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4dlQC83tnMz3Cw6
	for <dev-commits-src-all@FreeBSD.org>; Mon, 05 Jan 2026 20:00:36 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1767643236;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=b3iEL86j5Zv7Fquh3v4kK3b2JJJMSsrAhqskY3feS+M=;
	b=LiuVazCGjFJe+mbxhU1Qd79Zs4mrYVggwijFVgMx0KuGz04/OkXbQDGJx8g8xRbPyms2BG
	eslZ1NigjA0iif5fScxTifisDf1Ha2xYUTIxo35tDbOWqe3oDpR5ZXrhMmOaUbgtneGvBR
	K6NdRhQu6MHJYwSKcgE6FcYQBtJMxlEmDxQ7JLaEYiPWXTI25CzdKISosdZpfQgnG2iJP/
	MDKC1YNRVA3C9meSgTdv+dU1YRmY555Z5YEyBk2EKMJiIo6g3MCB+CWjlXtrvVaJY2jSa5
	kIYmeDI7YRPDp0+v8W59J4u9vD/IJzwG6YGLVdyIbXf8QWFg6Eff/LrkmznjcA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1767643236;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=b3iEL86j5Zv7Fquh3v4kK3b2JJJMSsrAhqskY3feS+M=;
	b=uQzeIUuNLwkbZjdkqZrRnNiUicLWtGRBONznHfJw7HEfktgT3GbdwPBQhd4GPy0sIOOiOx
	hXyYqKCQs6Tg/oNmrkAI0or5S+Wwx8gE3VYQdFsK8ymhjQpvxFlBK03+TYur5sUxELU2lQ
	Ya34Vs+q8ZFBnO6J1Z+TY6Wx97VsmZ9fAskAdcLvSZyYjvrDHq5qr8Ij1Bw+b9OXLlPDuD
	fcFPSKV++YNu4X6oxZJct4dJRHvr7nwF3uzk8LS7H9NOi98fxO/hpfml8gM9I9JC5LqUrX
	ZNbJbwWdYTMTSMOwPZ5mrGw06LdyJTFFSOhjf35KdCkN3nT4FPCrJ5kPkwN9KQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1767643236; a=rsa-sha256; cv=none;
	b=CoRqj/iNiwgMciLvFoR/Y2P4mc4rsP6tyVLCjDzaueWu9iAytC8tGxePHLdlT02/5GhsVU
	VDGqY1QAKLKZD1LEKjBl38gR4OsCe/njLTWBP2BTMTTXmnZuWHTcB/U7kPBMAK7F8a54DX
	qMTnJlnL4yzyjFNA40zEL8WFFWjYJIY7hTsTpOuG8J6vB39fvvvswtbI6YC5HG4hD4RYMv
	bVBuMiPbVJt7GXuFN8uG1jA5lym5p1TaVSOyx4rO7c5mqmJfPwk+JgX8+fMQC/Tm6lZ5kI
	79cfryHuaB//BP7Mhv9RF/WUZ8G/F6oXMlXu8c7IB/IwnM9dP4JTYnYkRKDUnQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4dlQC82Pk7zb9d
	for <dev-commits-src-all@FreeBSD.org>; Mon, 05 Jan 2026 20:00:36 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 3fcf7
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Mon, 05 Jan 2026 20:00:36 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
From: Cy Schubert <cy@FreeBSD.org>
Subject: git: 91de9b501aa7 - stable/15 - ipfilter: Disable ipfs(8) by default
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: cy
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/15
X-Git-Reftype: branch
X-Git-Commit: 91de9b501aa7d8f108b596bc52583dbafac1d262
Auto-Submitted: auto-generated
Date: Mon, 05 Jan 2026 20:00:36 +0000
Message-Id: <695c1864.3fcf7.57d0cbbe@gitrepo.freebsd.org>

The branch stable/15 has been updated by cy:

URL: https://cgit.FreeBSD.org/src/commit/?id=91de9b501aa7d8f108b596bc52583dbafac1d262

commit 91de9b501aa7d8f108b596bc52583dbafac1d262
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2025-11-16 07:39:19 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2026-01-05 20:00:01 +0000

    ipfilter: Disable ipfs(8) by default
    
    At the moment ipfs(8) is a tool that can be easily abused. Though the
    concept is sound the implementation needs some work.
    
    ipfs(8) should be considered experimental at the moment.
    
    This commit also makes ipfs support in the kernel optional.
    
    Reviewed by:            emaste, glebius
    MFC after:              1 week
    Differential revision:  https://reviews.freebsd.org/D53787
    
    (cherry picked from commit 0ff0c19e7f70bc4d3f98196a8ad43de635cf13e5)
---
 sbin/ipf/Makefile                        | 7 ++++++-
 share/mk/src.opts.mk                     | 1 +
 sys/conf/NOTES                           | 1 +
 sys/conf/options                         | 1 +
 sys/modules/ipfilter/Makefile            | 7 +++++++
 sys/netpfil/ipfilter/netinet/ip_nat.c    | 5 ++++-
 sys/netpfil/ipfilter/netinet/ip_state.c  | 4 ++++
 tools/build/mk/OptionalObsoleteFiles.inc | 4 ++++
 8 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/sbin/ipf/Makefile b/sbin/ipf/Makefile
index 1b0a18d3d9c3..b64b09584b48 100644
--- a/sbin/ipf/Makefile
+++ b/sbin/ipf/Makefile
@@ -1,5 +1,10 @@
+.include <src.opts.mk>
+
 SUBDIR=		libipf .WAIT
-SUBDIR+=	ipf ipfs ipfstat ipmon ipnat ippool
+SUBDIR+=	ipf ipfstat ipmon ipnat ippool
+.if ${MK_IPFILTER_IPFS} != "no"
+SUBDIR+=	ipfs
+.endif
 # XXX Temporarily disconnected.
 # SUBDIR+=	ipftest ipresend ipsend
 SUBDIR_PARALLEL=
diff --git a/share/mk/src.opts.mk b/share/mk/src.opts.mk
index 1167d7f7b812..92634425f770 100644
--- a/share/mk/src.opts.mk
+++ b/share/mk/src.opts.mk
@@ -208,6 +208,7 @@ __DEFAULT_NO_OPTIONS = \
     DTRACE_TESTS \
     EXPERIMENTAL \
     HESIOD \
+    IPFILTER_IPFS \
     LOADER_VERBOSE \
     LOADER_VERIEXEC_PASS_MANIFEST \
     LLVM_ASSERTIONS \
diff --git a/sys/conf/NOTES b/sys/conf/NOTES
index cdfdd09fc1a0..46787d2e690a 100644
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@@ -1045,6 +1045,7 @@ options 	IPFILTER		#ipfilter support
 options 	IPFILTER_LOG		#ipfilter logging
 options 	IPFILTER_LOOKUP		#ipfilter pools
 options 	IPFILTER_DEFAULT_BLOCK	#block all packets by default
+options		IPFILTER_IPFS		#enable experimental ipfs(8) support
 options 	IPSTEALTH		#support for stealth forwarding
 options 	PF_DEFAULT_TO_DROP	#drop everything by default
 options 	TCP_BLACKBOX
diff --git a/sys/conf/options b/sys/conf/options
index b48ad1cf42cf..9e9cb6aeb6b3 100644
--- a/sys/conf/options
+++ b/sys/conf/options
@@ -448,6 +448,7 @@ IPFILTER		opt_ipfilter.h
 IPFILTER_DEFAULT_BLOCK	opt_ipfilter.h
 IPFILTER_LOG		opt_ipfilter.h
 IPFILTER_LOOKUP		opt_ipfilter.h
+IPFILTER_IPFS		opt_ipfilter.h
 IPFIREWALL		opt_ipfw.h
 IPFIREWALL_DEFAULT_TO_ACCEPT	opt_ipfw.h
 IPFIREWALL_NAT		opt_ipfw.h
diff --git a/sys/modules/ipfilter/Makefile b/sys/modules/ipfilter/Makefile
index 6c5fc140f36c..969df7dfad84 100644
--- a/sys/modules/ipfilter/Makefile
+++ b/sys/modules/ipfilter/Makefile
@@ -1,3 +1,5 @@
+.include <src.opts.mk>
+
 .PATH: ${SRCTOP}/sys/netpfil/ipfilter/netinet
 
 KMOD=	ipl
@@ -9,6 +11,11 @@ SRCS+=	opt_bpf.h opt_inet6.h opt_kern_tls.h
 
 CFLAGS+= -I${SRCTOP}/sys/netpfil/ipfilter
 CFLAGS+= -DIPFILTER=1 -DIPFILTER_LKM -DIPFILTER_LOG -DIPFILTER_LOOKUP
+
+.if ${MK_IPFILTER_IPFS} != "no"
+CFLAGS+= -DIPFILTER_IPFS
+.endif
+
 #
 # If you don't want log functionality remove -DIPFILTER_LOG
 #
diff --git a/sys/netpfil/ipfilter/netinet/ip_nat.c b/sys/netpfil/ipfilter/netinet/ip_nat.c
index d83454185609..ec5a431dc47f 100644
--- a/sys/netpfil/ipfilter/netinet/ip_nat.c
+++ b/sys/netpfil/ipfilter/netinet/ip_nat.c
@@ -1340,6 +1340,7 @@ ipf_nat_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd,
 		error = ipf_proxy_ioctl(softc, data, cmd, mode, ctx);
 		break;
 
+#ifdef IPFILTER_IPFS
 	case SIOCSTLCK :
 		if (!(mode & FWRITE)) {
 			IPFERROR(60015);
@@ -1375,6 +1376,7 @@ ipf_nat_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd,
 			error = EACCES;
 		}
 		break;
+#endif /* IPFILTER_IPFS */
 
 	case SIOCGENITER :
 	    {
@@ -1682,7 +1684,7 @@ ipf_nat_siocdelnat(ipf_main_softc_t *softc, ipf_nat_softc_t *softn, ipnat_t *n,
 	}
 }
 
-
+#ifdef IPFILTER_IPFS
 /* ------------------------------------------------------------------------ */
 /* Function:    ipf_nat_getsz                                               */
 /* Returns:     int - 0 == success, != 0 is the error value.                */
@@ -2250,6 +2252,7 @@ junkput:
 	}
 	return (error);
 }
+#endif /* IPFILTER_IPFS */
 
 
 /* ------------------------------------------------------------------------ */
diff --git a/sys/netpfil/ipfilter/netinet/ip_state.c b/sys/netpfil/ipfilter/netinet/ip_state.c
index 36fdf23cd062..8a21e7593995 100644
--- a/sys/netpfil/ipfilter/netinet/ip_state.c
+++ b/sys/netpfil/ipfilter/netinet/ip_state.c
@@ -709,6 +709,7 @@ ipf_state_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd,
 				   IPFOBJ_STATESTAT);
 		break;
 
+#ifdef IPFILTER_IPFS
 	/*
 	 * Lock/Unlock the state table.  (Locking prevents any changes, which
 	 * means no packets match).
@@ -745,6 +746,7 @@ ipf_state_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd,
 		}
 		error = ipf_state_getent(softc, softs, data);
 		break;
+#endif /* IPFILTER_IPFS */
 
 	case SIOCGENITER :
 	    {
@@ -801,6 +803,7 @@ ipf_state_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd,
 }
 
 
+#ifdef IPFILTER_IPFS
 /* ------------------------------------------------------------------------ */
 /* Function:    ipf_state_getent                                            */
 /* Returns:     int - 0 == success, != 0 == failure                         */
@@ -1005,6 +1008,7 @@ ipf_state_putent(ipf_main_softc_t *softc, ipf_state_softc_t *softs,
 
 	return (error);
 }
+#endif /* IPFILTER_IPFS */
 
 
 /* ------------------------------------------------------------------------ */
diff --git a/tools/build/mk/OptionalObsoleteFiles.inc b/tools/build/mk/OptionalObsoleteFiles.inc
index d7131d01ef37..a7ae52650999 100644
--- a/tools/build/mk/OptionalObsoleteFiles.inc
+++ b/tools/build/mk/OptionalObsoleteFiles.inc
@@ -2630,6 +2630,10 @@ OLD_FILES+=usr/share/man/man8/ipnat.8.gz
 OLD_FILES+=usr/share/man/man8/ippool.8.gz
 .endif
 
+.if ${MK_IPFILTER_IPFS} == no
+OLD_FILES+=sbin/ipfs
+.endif
+
 .if ${MK_IPFW} == no
 OLD_FILES+=etc/rc.d/ipfw
 OLD_FILES+=etc/rc.d/natd