Date: Wed, 9 Apr 2025 16:44:17 +0000 From: Robert Austen <robert.austen@willowglensystems.com> To: Zhenlei Huang <zlei@FreeBSD.org> Cc: "freebsd-current@freebsd.org" <freebsd-current@freebsd.org>, "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>, Kristof Provost <kp@FreeBSD.org>, Cy Schubert <cy@freebsd.org> Subject: Re: pfil_default_to_drop Message-ID: <QB1PPF4C719E46AFADEAB65EB14D2627AABEFB42@QB1PPF4C719E46A.CANPRD01.PROD.OUTLOOK.COM> In-Reply-To: <AE3D71CF-AF58-4F79-AF5C-6CD159C138D5@FreeBSD.org> References: <YT2PPFD8040D4DA15FF1002CDBF5DE22C41EFAA2@YT2PPFD8040D4DA.CANPRD01.PROD.OUTLOOK.COM> <YT2PPFD8040D4DA456DB44A9D2934D49D21EFAA2@YT2PPFD8040D4DA.CANPRD01.PROD.OUTLOOK.COM> <YT2PPFD8040D4DADEDA66317A6B3E7928C9EFAA2@YT2PPFD8040D4DA.CANPRD01.PROD.OUTLOOK.COM> <274BB159-3CB5-49E0-84E7-A3F4B81BFDC1@FreeBSD.org> <QB1PPF4C719E46A03770B2C7622042A91B6EFB52@QB1PPF4C719E46A.CANPRD01.PROD.OUTLOOK.COM> <AE3D71CF-AF58-4F79-AF5C-6CD159C138D5@FreeBSD.org>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] "Maybe we also want a loader tunable to enable pf(4) on load" Seems a complicated way to do a simple thing. imho. Did you happen to look at my tiny patch? There are already a bunch of macros (PFIL_HOOKED_IN, PFIL_HOOKED_OUT) defined depending on the inclusion of INET v4 or 6. I just cloned them as ... _UNHOOKED_ ..., and made them the NOT of the HOOKED_ one, or FALSE when INET v4 or 6 is excluded or if PFIL_DEFAULT_TO_DROP isn't defined. Then whereever the existing PFIL_HOOKED_IN/OUT_46 macros are used, prior to calling the filter hook, I just inserted a PFIL_UNHOOKED_IN/OUT_46 check, and a 'goto drop' instead of the 'goto passin/out' for the 7 occurances in if_gateway and the 3 in the NETINET code (ip_input, ip_output, ip_fastfwd) and the 4 in the NETINET6 code (same as netinet4 plus ip6_foward). easy peasy. I spend 10x more time messing with the kernel Makefile + CONF structure than with my changes lol. ________________________________ From: Zhenlei Huang <zlei@FreeBSD.org> Sent: April 9, 2025 1:48 AM To: Robert Austen <robert.austen@willowglensystems.com> Cc: freebsd-current@freebsd.org <freebsd-current@freebsd.org>; freebsd-net@freebsd.org <freebsd-net@freebsd.org>; Kristof Provost <kp@FreeBSD.org>; Cy Schubert <cy@freebsd.org> Subject: Re: pfil_default_to_drop You don't often get email from zlei@freebsd.org. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>; On Apr 9, 2025, at 1:01 AM, Robert Austen <robert.austen@willowglensystems.com<mailto:robert.austen@willowglensystems.com>> wrote: I respectfully disagree. PF_DEFAULT_TO_DROP has no effect if pfctl does not perform its ioctl call to enable itself, ie. to apply any hooks. if pfctl fails, then the hooks are left unhooked, and EVERYTHING defaults to PASS, which is not what most people would intend using PF_DEFAULT_TO_DROP. Ahh, I see your problem. Yes, you're right. pf(4) requires ioctl ( DIOCSTART ) or netlink command to enable it. @Kristof Maybe we also want a loader tunable to enable pf(4) on load ? consider this: until pf or ipf or ipfw makes an ioctl to hook themselves, the pfil layer in the kernel has no idea what the filter will be, assuming there even is one. thus PF_DEFAULT_TO_DROP has zero effect (and likewise the equivalents from the other filters). As for ipfw(4), by default it enables filtering on load, unless you disable it via loader tunable `net.inet.ip.fw.enable`, `net.inet6.ip6.fw.enable` and `net.link.ether.ipfw`. The compile option IPFIREWALL_DEFAULT_TO_ACCEPT or loader tunable `net.inet.ip.fw.default_to_accept` controls the default behavior to drop or accept. See also https://cgit.freebsd.org/src/commit/?id=5f17ebf94db5ebbc7fdcff60e598498df6f9e2bd . as I said, this is because there's no mechanism within PFIL to drop by default, which is why I proposed (and am using on my system) the PFIL_DEFAULT_TO_DROP, because it handles ALL of the 'no filter installed (yet)' cases. if PFIL_DEFAULT_TO_DROP isn't in the kernel config file, my patches have no effect at all, so it's a simple mechanism for those that want more than PF_DEFAULT_TO_DROP can ever provide. It appears ipf(4) unconditionally enable filtering on load, and does not have any tunables to control that. CC @Cy who is more familiar with ipf(4). thanks! ________________________________ From: Zhenlei Huang <zlei@FreeBSD.org<mailto:zlei@FreeBSD.org>> Sent: April 7, 2025 7:55 PM To: Robert Austen <robert.austen@willowglensystems.com<mailto:robert.austen@willowglensystems.com>> Cc: freebsd-current@freebsd.org<mailto:freebsd-current@freebsd.org> <freebsd-current@freebsd.org<mailto:freebsd-current@freebsd.org>>; freebsd-net@freebsd.org<mailto:freebsd-net@freebsd.org> <freebsd-net@freebsd.org<mailto:freebsd-net@freebsd.org>>; Kristof Provost <kp@FreeBSD.org<mailto:kp@FreeBSD.org>> Subject: Re: pfil_default_to_drop You don't often get email from zlei@freebsd.org<mailto:zlei@freebsd.org>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>; On Apr 8, 2025, at 6:36 AM, Robert Austen <robert.austen@willowglensystems.com<mailto:robert.austen@willowglensystems.com>> wrote: ________________________________ From: Robert Austen <robert.austen@willowglensystems.com<mailto:robert.austen@willowglensystems.com>> Sent: April 7, 2025 4:33 PM To: freebsd-current@freebsd.org<mailto:freebsd-current@freebsd.org> <freebsd-current@freebsd.org<mailto:freebsd-current@freebsd.org>>; freebsd-net@freebsd.org<mailto:freebsd-net@freebsd.org> <freebsd-net@freebsd.org<mailto:freebsd-net@freebsd.org>> Subject: Fw: pfil_default_to_drop ________________________________ From: Robert Austen Sent: April 7, 2025 4:21 PM To: freebsd-current@freebsd.org<mailto:freebsd-current@freebsd.org> <freebsd-current@freebsd.org<mailto:freebsd-current@freebsd.org>> Subject: pfil_default_to_drop Hello, I've been playing with FreeBSD and PF to build myself a new firewall, as Open/FreeBSD + PF seems to be a common starting point. I've noticed a number of people asking questions about PF_DEFAULT_TO_DROP and the like, with the observations that it's hard to ensure that packets all default to drop if the rule file(s) for whatever reason fail to load. Hi Robert, So why not defining the compile option PF_DEFAULT_TO_DROP, and preload pf.ko ( via the loader(8), /boot/loader.conf ) ? With 13.5, or upcoming 14.3 ( you can also experiment latest stable/14 ), you can turn the loader tunable net.pf.default_to_drop to 1, and preload pf.ko. See also https://cgit.freebsd.org/src/commit/?id=c531c1d1462c45f7ce5de4f9913226801f3073bd . After looking thru the online documentation, forums and scripts, I came to the conclusion that it's not a PF problem or IPFW etc or really a problem with any of the filters or scripts, the problem is at the level of PFIL, the kernel packet filtering code: If no filter is loaded, i.e. if the heads are unhooked, then PFIL sends everything thru to its destination. So my thought was to add an option PFIL_DEFAULT_TO_DROP (in essence a PFIL version of PF_DEFAULT_TO_DROP) that drops all the IPv4 and IPv6 packets that would otherwise go thru the yet-to-be-loaded chosen filter (PF or whatever) at any given time the hooks are unhooked. If no firewalls loaded, then the system should behave as is. I do not think PFIL_DEFAULT_TO_DROP is the right way to handle your case. [No one filters on local loopback nor the link layer, so I've left those hooks untouched. I suppose one could add them, maybe PFIL_DEFAULT_LOCAL_TO_DROP or PFIL_DEFAULT_LINK_TO_DROP, but I doubt there's much demand for it.] Normally I'm an embedded linux kernel basher. I'm not entirely sure where to send this patch. Most of the threads asking the above PF questions are closed to changes, so that doesn't seem a good place. Sir Dice seems to be a common answerer of questions; I would have sent it to him/her if I could... I'm not a user of GIT, so I'm not sure how to submit a "GIT formatted patch"... I've simply diff -rdpNU 5 a copy of the @old folder with a copy of @new folder. The code was written against FreeBSD-14.1-RELEASE-amd64, but I suspect the kernel code in the networking core doesn't change much from platform to platform, or version to version. But it works, it's pretty simple, pretty small and so just in case it might be useful, I'm passing it along. thanks! Robert <FreeBSD-14.1-RELEASE-amd64-pfil_default_to_drop.patch.zip> [-- Attachment #2 --] <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> <style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style> </head> <body dir="ltr"> <div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"> "Maybe we also want a loader tunable to enable pf(4) on load"</div> <div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"> <br> </div> <div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"> Seems a complicated way to do a simple thing. imho.</div> <div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"> <br> </div> <div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"> Did you happen to look at my tiny patch?</div> <div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"> There are already a bunch of macros (PFIL_HOOKED_IN, PFIL_HOOKED_OUT) defined depending on the inclusion of INET v4 or 6.</div> <div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"> I just cloned them as ... _UNHOOKED_ ..., and made them the NOT of the <i>HOOKED</i>_ one, or FALSE when INET v4 or 6 is excluded </div> <div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"> or if PFIL_DEFAULT_TO_DROP isn't defined. </div> <div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"> <br> </div> <div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"> Then whereever the existing PFIL_HOOKED_IN/OUT_46 macros are used, prior to calling the filter hook, I just</div> <div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"> inserted a PFIL_UNHOOKED_IN/OUT_46 check, and a 'goto drop' instead of the 'goto passin/out' for the 7 occurances</div> <div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"> in if_gateway and the 3 in the NETINET code (ip_input, ip_output, ip_fastfwd) and the 4 in the NETINET6 code (same as netinet4 plus ip6_foward).</div> <div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"> <br> </div> <div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"> easy peasy.</div> <div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"> I spend 10x more time messing with the kernel Makefile + CONF structure than with my changes lol.</div> <div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"> <br> </div> <div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"> <br> </div> <div id="appendonsend"></div> <hr style="display:inline-block;width:98%" tabindex="-1"> <div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Zhenlei Huang <zlei@FreeBSD.org><br> <b>Sent:</b> April 9, 2025 1:48 AM<br> <b>To:</b> Robert Austen <robert.austen@willowglensystems.com><br> <b>Cc:</b> freebsd-current@freebsd.org <freebsd-current@freebsd.org>; freebsd-net@freebsd.org <freebsd-net@freebsd.org>; Kristof Provost <kp@FreeBSD.org>; Cy Schubert <cy@freebsd.org><br> <b>Subject:</b> Re: pfil_default_to_drop</font> <div> </div> </div> <div class="" style="word-wrap:break-word; line-break:after-white-space"> <table border="0" cellspacing="0" cellpadding="0" width="100%" align="left" style="background:revert!important; border:revert!important; bottom:revert!important; color:revert!important; direction:revert!important; display:revert!important; font-size:revert!important; height:revert!important; letter-spacing:revert!important; line-height:revert!important; margin:revert!important; opacity:revert!important; order:revert!important; outline:revert!important; overflow:revert!important; padding:revert!important; position:revert!important; tab-size:revert!important; table-layout:revert!important; text-align:revert!important; text-indent:revert!important; text-orientation:revert!important; text-overflow:revert!important; text-transform:revert!important; top:revert!important; vertical-align:revert!important; visibility:revert!important; white-space:revert!important; width:revert!important; word-break:revert!important; word-spacing:revert!important; writing-mode:revert!important; zoom:revert!important; border:0!important; display:table!important; width:100%!important; table-layout:fixed!important; border-collapse:seperate!important; float:none!important; border-spacing:0px 0px!important"> <tbody style="background:revert!important; border:revert!important; bottom:revert!important; color:revert!important; direction:revert!important; display:revert!important; font-size:revert!important; height:revert!important; letter-spacing:revert!important; line-height:revert!important; margin:revert!important; opacity:revert!important; order:revert!important; outline:revert!important; overflow:revert!important; padding:revert!important; position:revert!important; tab-size:revert!important; table-layout:revert!important; text-align:revert!important; text-indent:revert!important; text-orientation:revert!important; text-overflow:revert!important; text-transform:revert!important; top:revert!important; vertical-align:revert!important; visibility:revert!important; white-space:revert!important; width:revert!important; word-break:revert!important; word-spacing:revert!important; writing-mode:revert!important; zoom:revert!important; display:block!important"> <tr style="background:revert!important; border:revert!important; bottom:revert!important; color:revert!important; direction:revert!important; display:revert!important; font-size:revert!important; height:revert!important; letter-spacing:revert!important; line-height:revert!important; margin:revert!important; opacity:revert!important; order:revert!important; outline:revert!important; overflow:revert!important; padding:revert!important; position:revert!important; tab-size:revert!important; table-layout:revert!important; text-align:revert!important; text-indent:revert!important; text-orientation:revert!important; text-overflow:revert!important; text-transform:revert!important; top:revert!important; vertical-align:revert!important; visibility:revert!important; white-space:revert!important; width:revert!important; word-break:revert!important; word-spacing:revert!important; writing-mode:revert!important; zoom:revert!important"> <td valign="middle" width="1px" bgcolor="#A6A6A6" cellpadding="7px 2px 7px 2px" style="background:revert!important; border:revert!important; bottom:revert!important; color:revert!important; direction:revert!important; display:revert!important; font-size:revert!important; height:revert!important; letter-spacing:revert!important; line-height:revert!important; margin:revert!important; opacity:revert!important; order:revert!important; outline:revert!important; overflow:revert!important; padding:revert!important; position:revert!important; tab-size:revert!important; table-layout:revert!important; text-align:revert!important; text-indent:revert!important; text-orientation:revert!important; text-overflow:revert!important; text-transform:revert!important; top:revert!important; vertical-align:revert!important; visibility:revert!important; white-space:revert!important; width:revert!important; word-break:revert!important; word-spacing:revert!important; writing-mode:revert!important; zoom:revert!important; padding:7px 2px 7px 2px!important; background-color:#A6A6A6!important; width:0px!important"> </td> <td valign="middle" width="100%" bgcolor="#EAEAEA" cellpadding="7px 5px 7px 15px" color="#212121" style="background:revert!important; border:revert!important; bottom:revert!important; color:revert!important; direction:revert!important; display:revert!important; font-size:revert!important; height:revert!important; letter-spacing:revert!important; line-height:revert!important; margin:revert!important; opacity:revert!important; order:revert!important; outline:revert!important; overflow:revert!important; padding:revert!important; position:revert!important; tab-size:revert!important; table-layout:revert!important; text-align:revert!important; text-indent:revert!important; text-orientation:revert!important; text-overflow:revert!important; text-transform:revert!important; top:revert!important; vertical-align:revert!important; visibility:revert!important; white-space:revert!important; width:revert!important; word-break:revert!important; word-spacing:revert!important; writing-mode:revert!important; zoom:revert!important; width:100%!important; background-color:#EAEAEA!important; padding:7px 5px 7px 15px!important; font-family:wf_segoe-ui_normal,Segoe UI,Segoe WP,Tahoma,Arial,sans-serif!important; font-size:12px!important; font-weight:normal!important; color:#212121!important; text-align:left!important; word-wrap:break-word!important"> <div style="background:revert!important; border:revert!important; bottom:revert!important; color:revert!important; direction:revert!important; display:revert!important; font-size:revert!important; height:revert!important; letter-spacing:revert!important; line-height:revert!important; margin:revert!important; opacity:revert!important; order:revert!important; outline:revert!important; overflow:revert!important; padding:revert!important; position:revert!important; tab-size:revert!important; table-layout:revert!important; text-align:revert!important; text-indent:revert!important; text-orientation:revert!important; text-overflow:revert!important; text-transform:revert!important; top:revert!important; vertical-align:revert!important; visibility:revert!important; white-space:revert!important; width:revert!important; word-break:revert!important; word-spacing:revert!important; writing-mode:revert!important; zoom:revert!important"> You don't often get email from zlei@freebsd.org. <a href="https://aka.ms/LearnAboutSenderIdentification" style="background:revert!important; color:revert!important; direction:revert!important; display:revert!important; font-size:revert!important; opacity:revert!important; visibility:revert!important"> Learn why this is important</a> </div> </td> <td valign="middle" align="left" width="75px" bgcolor="#EAEAEA" cellpadding="7px 5px 7px 5px" color="#212121" style="background:revert!important; border:revert!important; bottom:revert!important; color:revert!important; direction:revert!important; display:revert!important; font-size:revert!important; height:revert!important; letter-spacing:revert!important; line-height:revert!important; margin:revert!important; opacity:revert!important; order:revert!important; outline:revert!important; overflow:revert!important; padding:revert!important; position:revert!important; tab-size:revert!important; table-layout:revert!important; text-align:revert!important; text-indent:revert!important; text-orientation:revert!important; text-overflow:revert!important; text-transform:revert!important; top:revert!important; vertical-align:revert!important; visibility:revert!important; white-space:revert!important; width:revert!important; word-break:revert!important; word-spacing:revert!important; writing-mode:revert!important; zoom:revert!important; width:75px!important; background-color:#EAEAEA!important; padding:7px 5px 7px 5px!important; font-family:wf_segoe-ui_normal,Segoe UI,Segoe WP,Tahoma,Arial,sans-serif!important; font-size:12px!important; font-weight:normal!important; color:#212121!important; text-align:left!important; word-wrap:break-word!important"> </td> </tr> </tbody> </table> <div><br class=""> <div><br class=""> <blockquote type="cite" class=""> <div class="">On Apr 9, 2025, at 1:01 AM, Robert Austen <<a href="mailto:robert.austen@willowglensystems.com" class="">robert.austen@willowglensystems.com</a>> wrote:</div> <br class="x_Apple-interchange-newline"> <div class=""> <div class="x_elementToProof" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> I respectfully disagree.</div> <div class="x_elementToProof" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> <br class=""> </div> <div class="x_elementToProof" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> PF_DEFAULT_TO_DROP has no effect if pfctl does not perform its ioctl call to enable itself, ie. to apply any hooks.</div> <div class="x_elementToProof" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> if pfctl fails, then the hooks are left unhooked, and EVERYTHING defaults to PASS, which is not what most people would intend using PF_DEFAULT_TO_DROP.</div> </div> </blockquote> <div><br class=""> </div> <div>Ahh, I see your problem. Yes, you're right. pf(4) requires ioctl ( DIOCSTART ) or netlink command to enable it.</div> <div><br class=""> </div> <div>@Kristof Maybe we also want a loader tunable to enable pf(4) on load ?</div> <br class=""> <blockquote type="cite" class=""> <div class=""> <div class="x_elementToProof" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> <br class=""> </div> <div class="x_elementToProof" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> consider this: until pf or ipf or ipfw makes an ioctl to hook themselves, the pfil layer in the kernel has no idea what the filter will be,</div> <div class="x_elementToProof" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> assuming there even is one. thus PF_DEFAULT_TO_DROP has zero effect (and likewise the equivalents from the other filters).</div> </div> </blockquote> <div><br class=""> </div> <div>As for ipfw(4), by default it enables filtering on load, unless you disable it via loader tunable `net.inet.ip.fw.enable`, `net.inet6.ip6.fw.enable` and `net.link.ether.ipfw`.</div> <div><br class=""> </div> <div>The compile option IPFIREWALL_DEFAULT_TO_ACCEPT or loader tunable `net.inet.ip.fw.default_to_accept` controls the default behavior to drop or accept.</div> <div>See also <a href="https://cgit.freebsd.org/src/commit/?id=5f17ebf94db5ebbc7fdcff60e598498df6f9e2bd" class="">https://cgit.freebsd.org/src/commit/?id=5f17ebf94db5ebbc7fdcff60e598498df6f9e2bd</a> .</div>; <br class=""> <blockquote type="cite" class=""> <div class=""> <div class="x_elementToProof" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> <br class=""> </div> <div class="x_elementToProof" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> as I said, this is because there's no mechanism within PFIL to drop by default, which is why I proposed (and am using on my system) the PFIL_DEFAULT_TO_DROP,</div> <div class="x_elementToProof" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> because it handles ALL of the 'no filter installed (yet)' cases. if PFIL_DEFAULT_TO_DROP isn't in the kernel config file, my patches have no effect at all,</div> <div class="x_elementToProof" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> so it's a simple mechanism for those that want more than PF_DEFAULT_TO_DROP can ever provide.</div> </div> </blockquote> <div><br class=""> </div> <div>It appears ipf(4) unconditionally enable filtering on load, and does not have any tunables to control that. CC @Cy who is more familiar with ipf(4).</div> <br class=""> <blockquote type="cite" class=""> <div class=""> <div class="x_elementToProof" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> <br class=""> </div> <div class="x_elementToProof" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> thanks!</div> <div id="x_appendonsend" class="" style="font-family:Helvetica; font-size:13px; font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none"> </div> <hr tabindex="-1" class="" style="font-family:Helvetica; font-size:13px; font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; display:inline-block; width:563.5px"> <span class="" style="font-family:Helvetica; font-size:13px; font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; float:none; display:inline!important"></span> <div id="x_divRplyFwdMsg" dir="ltr" class="" style="font-family:Helvetica; font-size:13px; font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none"> <font face="Calibri, sans-serif" class="" style="font-size:11pt"><b class="">From:</b><span class="x_Apple-converted-space"> </span>Zhenlei Huang <<a href="mailto:zlei@FreeBSD.org" class="">zlei@FreeBSD.org</a>><br class=""> <b class="">Sent:</b><span class="x_Apple-converted-space"> </span>April 7, 2025 7:55 PM<br class=""> <b class="">To:</b><span class="x_Apple-converted-space"> </span>Robert Austen <<a href="mailto:robert.austen@willowglensystems.com" class="">robert.austen@willowglensystems.com</a>><br class=""> <b class="">Cc:</b><span class="x_Apple-converted-space"> </span><a href="mailto:freebsd-current@freebsd.org" class="">freebsd-current@freebsd.org</a><span class="x_Apple-converted-space"> </span><<a href="mailto:freebsd-current@freebsd.org" class="">freebsd-current@freebsd.org</a>>;<span class="x_Apple-converted-space"> </span><a href="mailto:freebsd-net@freebsd.org" class="">freebsd-net@freebsd.org</a><span class="x_Apple-converted-space"> </span><<a href="mailto:freebsd-net@freebsd.org" class="">freebsd-net@freebsd.org</a>>; Kristof Provost <<a href="mailto:kp@FreeBSD.org" class="">kp@FreeBSD.org</a>><br class=""> <b class="">Subject:</b><span class="x_Apple-converted-space"> </span>Re: pfil_default_to_drop</font> <div class=""> </div> </div> <div class="" style="font-family:Helvetica; font-size:13px; font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; word-wrap:break-word; line-break:after-white-space"> <table border="0" cellspacing="0" cellpadding="0" width="100%" align="left" class="" style="background-image:revert!important; background-size:revert!important; background-attachment:revert!important; background-origin:revert!important; background-clip:revert!important; background-color:revert!important; bottom:revert!important; color:revert!important; direction:revert!important; font-size:revert!important; height:revert!important; letter-spacing:revert!important; line-height:revert!important; margin:revert!important; opacity:revert!important; order:revert!important; outline:revert!important; overflow:revert!important; padding:revert!important; position:revert!important; tab-size:revert!important; text-align:revert!important; text-indent:revert!important; text-orientation:revert!important; text-overflow:revert!important; text-transform:revert!important; top:revert!important; vertical-align:revert!important; visibility:revert!important; white-space:revert!important; word-break:revert!important; word-spacing:revert!important; writing-mode:revert!important; zoom:revert!important; border:0px!important; display:table!important; width:575px; table-layout:fixed!important; float:none!important; border-spacing:0px!important; background-position:revert!important; background-repeat:revert!important"> <tbody class="" style="background-image:revert!important; background-size:revert!important; background-attachment:revert!important; background-origin:revert!important; background-clip:revert!important; background-color:revert!important; border:revert!important; bottom:revert!important; color:revert!important; direction:revert!important; font-size:revert!important; height:revert!important; letter-spacing:revert!important; line-height:revert!important; margin:revert!important; opacity:revert!important; order:revert!important; outline:revert!important; overflow:revert!important; padding:revert!important; position:revert!important; tab-size:revert!important; table-layout:revert!important; text-align:revert!important; text-indent:revert!important; text-orientation:revert!important; text-overflow:revert!important; text-transform:revert!important; top:revert!important; vertical-align:revert!important; visibility:revert!important; white-space:revert!important; width:revert!important; word-break:revert!important; word-spacing:revert!important; writing-mode:revert!important; zoom:revert!important; display:block!important; background-position:revert!important; background-repeat:revert!important"> <tr class="" style="background-image:revert!important; background-size:revert!important; background-attachment:revert!important; background-origin:revert!important; background-clip:revert!important; background-color:revert!important; border:revert!important; bottom:revert!important; color:revert!important; direction:revert!important; display:revert!important; font-size:revert!important; height:revert!important; letter-spacing:revert!important; line-height:revert!important; margin:revert!important; opacity:revert!important; order:revert!important; outline:revert!important; overflow:revert!important; padding:revert!important; position:revert!important; tab-size:revert!important; table-layout:revert!important; text-align:revert!important; text-indent:revert!important; text-orientation:revert!important; text-overflow:revert!important; text-transform:revert!important; top:revert!important; vertical-align:revert!important; visibility:revert!important; white-space:revert!important; width:revert!important; word-break:revert!important; word-spacing:revert!important; writing-mode:revert!important; zoom:revert!important; background-position:revert!important; background-repeat:revert!important"> <td valign="middle" width="1px" bgcolor="#A6A6A6" cellpadding="7px 2px 7px 2px" class="" style="background-image:revert!important; background-size:revert!important; background-attachment:revert!important; background-origin:revert!important; background-clip:revert!important; border:revert!important; bottom:revert!important; color:revert!important; direction:revert!important; display:revert!important; font-size:revert!important; height:revert!important; letter-spacing:revert!important; line-height:revert!important; margin:revert!important; opacity:revert!important; order:revert!important; outline:revert!important; overflow:revert!important; position:revert!important; tab-size:revert!important; table-layout:revert!important; text-align:revert!important; text-indent:revert!important; text-orientation:revert!important; text-overflow:revert!important; text-transform:revert!important; top:revert!important; vertical-align:revert!important; visibility:revert!important; white-space:revert!important; word-break:revert!important; word-spacing:revert!important; writing-mode:revert!important; zoom:revert!important; padding:7px 2px!important; background-color:rgb(166,166,166)!important; width:0px!important; background-position:revert!important; background-repeat:revert!important"> </td> <td valign="middle" width="100%" bgcolor="#EAEAEA" cellpadding="7px 5px 7px 15px" class="" style="background-image:revert!important; background-size:revert!important; background-attachment:revert!important; background-origin:revert!important; background-clip:revert!important; border:revert!important; bottom:revert!important; direction:revert!important; display:revert!important; height:revert!important; letter-spacing:revert!important; line-height:revert!important; margin:revert!important; opacity:revert!important; order:revert!important; outline:revert!important; overflow:revert!important; position:revert!important; tab-size:revert!important; table-layout:revert!important; text-indent:revert!important; text-orientation:revert!important; text-overflow:revert!important; text-transform:revert!important; top:revert!important; vertical-align:revert!important; visibility:revert!important; white-space:revert!important; word-break:revert!important; word-spacing:revert!important; writing-mode:revert!important; zoom:revert!important; width:541px; background-color:rgb(234,234,234)!important; padding:7px 5px 7px 15px!important; font-family:wf_segoe-ui_normal,"Segoe UI","Segoe WP",Tahoma,Arial,sans-serif!important; font-size:12px!important; font-weight:normal!important; color:rgb(33,33,33)!important; text-align:left!important; word-wrap:break-word!important; background-position:revert!important; background-repeat:revert!important"> <div class="" style="background-image:revert!important; background-size:revert!important; background-attachment:revert!important; background-origin:revert!important; background-clip:revert!important; background-color:revert!important; border:revert!important; bottom:revert!important; color:revert!important; direction:revert!important; display:revert!important; font-size:revert!important; height:revert!important; letter-spacing:revert!important; line-height:revert!important; margin:revert!important; opacity:revert!important; order:revert!important; outline:revert!important; overflow:revert!important; padding:revert!important; position:revert!important; tab-size:revert!important; table-layout:revert!important; text-align:revert!important; text-indent:revert!important; text-orientation:revert!important; text-overflow:revert!important; text-transform:revert!important; top:revert!important; vertical-align:revert!important; visibility:revert!important; white-space:revert!important; width:revert!important; word-break:revert!important; word-spacing:revert!important; writing-mode:revert!important; zoom:revert!important; background-position:revert!important; background-repeat:revert!important"> You don't often get email from<span class="x_Apple-converted-space"> </span><a href="mailto:zlei@freebsd.org" class="">zlei@freebsd.org</a>.<span class="x_Apple-converted-space"> </span><a href="https://aka.ms/LearnAboutSenderIdentification" class="" style="background-image:revert!important; background-size:revert!important; background-attachment:revert!important; background-origin:revert!important; background-clip:revert!important; background-color:revert!important; color:revert!important; direction:revert!important; display:revert!important; font-size:revert!important; opacity:revert!important; visibility:revert!important; background-position:revert!important; background-repeat:revert!important">Learn why this is important</a></div> </td> <td valign="middle" align="left" width="75px" bgcolor="#EAEAEA" cellpadding="7px 5px 7px 5px" class="" style="background-image:revert!important; background-size:revert!important; background-attachment:revert!important; background-origin:revert!important; background-clip:revert!important; border:revert!important; bottom:revert!important; direction:revert!important; display:revert!important; height:revert!important; letter-spacing:revert!important; line-height:revert!important; margin:revert!important; opacity:revert!important; order:revert!important; outline:revert!important; overflow:revert!important; position:revert!important; tab-size:revert!important; table-layout:revert!important; text-indent:revert!important; text-orientation:revert!important; text-overflow:revert!important; text-transform:revert!important; top:revert!important; vertical-align:revert!important; visibility:revert!important; white-space:revert!important; word-break:revert!important; word-spacing:revert!important; writing-mode:revert!important; zoom:revert!important; width:75px!important; background-color:rgb(234,234,234)!important; padding:7px 5px!important; font-family:wf_segoe-ui_normal,"Segoe UI","Segoe WP",Tahoma,Arial,sans-serif!important; font-size:12px!important; font-weight:normal!important; color:rgb(33,33,33)!important; text-align:left!important; word-wrap:break-word!important; background-position:revert!important; background-repeat:revert!important"> </td> </tr> </tbody> </table> <div class=""><br class=""> <div class=""><br class=""> <blockquote type="cite" class=""> <div class="">On Apr 8, 2025, at 6:36 AM, Robert Austen <<a href="mailto:robert.austen@willowglensystems.com" class="">robert.austen@willowglensystems.com</a>> wrote:</div> <br class="x_x_Apple-interchange-newline"> <div class=""> <div class="" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> <br class="x_x_Apple-interchange-newline"> <br class=""> </div> <div id="x_x_appendonsend" class="" style="font-family:Helvetica; font-size:13px; font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none"> </div> <hr class="" style="font-family:Helvetica; font-size:13px; font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; display:inline-block; width:576.234375px"> <span class="" style="font-family:Helvetica; font-size:13px; font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; float:none; display:inline!important"></span> <div dir="ltr" id="x_x_divRplyFwdMsg" class="" style="font-family:Helvetica; font-size:13px; font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none"> <span class="" style="font-family:Calibri,sans-serif; font-size:11pt"><b class="">From:</b> Robert Austen <<a href="mailto:robert.austen@willowglensystems.com" class="">robert.austen@willowglensystems.com</a>><br class=""> <b class="">Sent:</b> April 7, 2025 4:33 PM<br class=""> <b class="">To:</b> <a href="mailto:freebsd-current@freebsd.org" class="">freebsd-current@freebsd.org</a><span class="x_x_Apple-converted-space"> </span><<a href="mailto:freebsd-current@freebsd.org" class="">freebsd-current@freebsd.org</a>>;<span class="x_x_Apple-converted-space"> </span><a href="mailto:freebsd-net@freebsd.org" class="">freebsd-net@freebsd.org</a><span class="x_x_Apple-converted-space"> </span><<a href="mailto:freebsd-net@freebsd.org" class="">freebsd-net@freebsd.org</a>><br class=""> <b class="">Subject:</b> Fw: pfil_default_to_drop</span> <div class=""> </div> </div> <div class="" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> <br class=""> </div> <div id="x_x_x_appendonsend" class="" style="font-family:Helvetica; font-size:13px; font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none"> </div> <hr class="" style="font-family:Helvetica; font-size:13px; font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; display:inline-block; width:576.234375px"> <span class="" style="font-family:Helvetica; font-size:13px; font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; float:none; display:inline!important"></span> <div dir="ltr" id="x_x_x_divRplyFwdMsg" class="" style="font-family:Helvetica; font-size:13px; font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none"> <span class="" style="font-family:Calibri,sans-serif; font-size:11pt"><b class="">From:</b> Robert Austen<br class=""> <b class="">Sent:</b> April 7, 2025 4:21 PM<br class=""> <b class="">To:</b> <a href="mailto:freebsd-current@freebsd.org" class="">freebsd-current@freebsd.org</a><span class="x_x_Apple-converted-space"> </span><<a href="mailto:freebsd-current@freebsd.org" class="">freebsd-current@freebsd.org</a>><br class=""> <b class="">Subject:</b> pfil_default_to_drop</span> <div class=""> </div> </div> <div class="" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> Hello,</div> <div class="" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> I've been playing with FreeBSD and PF to build myself a new firewall, as Open/FreeBSD + PF seems to be a common starting point.</div> <div class="" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> <br class=""> </div> <div class="" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> I've noticed a number of people asking questions about PF_DEFAULT_TO_DROP and the like, with the observations that it's hard</div> <div class="" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> to ensure that packets all default to drop if the rule file(s) for whatever reason fail to load. </div> </div> </blockquote> <div class=""><br class=""> </div> <div class="">Hi Robert,</div> <div class=""><br class=""> </div> <div class="">So why not defining the compile option PF_DEFAULT_TO_DROP, and preload <span class="" style="">pf.ko ( via the loader(8), </span><span class="" style="">/boot/loader.conf ) ?</span></div> <div class=""><span class="" style=""><br class=""> </span></div> <div class=""><font class="">With 13.5, or upcoming 14.3 ( you can also experiment latest stable/14 ), you can<span class="x_Apple-converted-space"> </span></font><span class="" style="">turn the loader tunable net.pf.default_to_drop to 1, and </span><span class="" style="">preload </span><span class="" style="">pf.ko.</span></div> <div class="">See also <a href="https://cgit.freebsd.org/src/commit/?id=c531c1d1462c45f7ce5de4f9913226801f3073bd" class="">https://cgit.freebsd.org/src/commit/?id=c531c1d1462c45f7ce5de4f9913226801f3073bd</a> .</div>; <div class=""><br class=""> </div> <blockquote type="cite" class=""> <div class=""> <div class="" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> <br class=""> </div> <div class="" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> After looking thru the online documentation, forums and scripts, I came to the conclusion that it's not a PF problem or IPFW etc</div> <div class="" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> or really a problem with any of the filters or scripts, the problem is at the level of PFIL, the kernel packet filtering code: If no</div> <div class="" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> filter is loaded, i.e. if the heads are unhooked, then PFIL sends<span class="x_x_Apple-converted-space"> </span><b class="">everything</b> thru to its destination. So my thought </div> <div class="" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> was to add an option PFIL_DEFAULT_TO_DROP (in essence a PFIL version of PF_DEFAULT_TO_DROP) that drops all the</div> <div class="" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> IPv4 and IPv6 packets that would otherwise go thru the yet-to-be-loaded chosen filter (PF or whatever) at any given time the </div> <div class="" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> hooks are unhooked. </div> </div> </blockquote> <div class=""><br class=""> </div> <div class="">If no firewalls loaded, then the system should behave as is. I do not think PFIL_DEFAULT_TO_DROP is the right way to handle your case.</div> <br class=""> <blockquote type="cite" class=""> <div class=""> <div class="" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> <br class=""> </div> <div class="" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> [No one filters on local loopback nor the link layer, so I've left those hooks untouched. I suppose one could add them,</div> <div class="" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> maybe PFIL_DEFAULT_LOCAL_TO_DROP or PFIL_DEFAULT_LINK_TO_DROP, but I doubt there's much demand for it.]</div> <div class="" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> <br class=""> </div> <div class="" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> Normally I'm an embedded linux kernel basher.</div> <div class="" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; text-align:left; margin:0px; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> I'm not entirely sure where to send this patch. Most of the threads asking the above PF questions are closed to changes,</div> <div class="" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; text-align:left; margin:0px; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> so that doesn't seem a good place. Sir Dice seems to be a common answerer of questions; I would have sent it to him/her </div> <div class="" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; text-align:left; margin:0px; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> if I could...</div> <div class="" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; text-align:left; margin:0px; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> <br class=""> </div> <div class="" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> I'm not a user of GIT, so I'm not sure how to submit a "GIT formatted patch"...</div> <div class="" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> I've simply diff -rdpNU 5 a copy of the @old folder with a copy of @new folder. The code was written against FreeBSD-14.1-RELEASE-amd64,</div> <div class="" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> but I suspect the kernel code in the networking core doesn't change much from platform to platform, or version to version.</div> <div class="" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; text-align:left; margin:0px; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> <br class=""> </div> <div class="" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; text-align:left; margin:0px; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> But it works, it's pretty simple, pretty small and so just in case it might be useful, I'm passing it along.</div> <div class="" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; text-align:left; margin:0px; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> <br class=""> </div> <div class="" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; text-align:left; margin:0px; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> thanks!</div> <div class="" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; text-align:left; margin:0px; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> <br class=""> </div> <div class="" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; text-align:left; margin:0px; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> <br class=""> </div> <div class="" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; text-align:left; margin:0px; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> Robert</div> <div class="" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> <br class=""> </div> <div class="" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; text-align:left; margin:0px; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> <br class=""> </div> <div class="" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> <br class=""> </div> <div class="" style="font-style:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif; font-size:12pt"> <br class=""> </div> <span id="x_x_cid:EF978BA5-1323-4E87-B14E-03A449683C8A" class=""><FreeBSD-14.1-RELEASE-amd64-pfil_default_to_drop.patch.zip></span></div> </blockquote> </div> </div> </div> </div> </blockquote> </div> <br class=""> <div class=""> <div><br class=""> </div> </div> <br class=""> </div> </div> </body> </html>help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?QB1PPF4C719E46AFADEAB65EB14D2627AABEFB42>