Date: Tue, 18 Sep 2012 11:07:19 +0000 (UTC) From: Gleb Smirnoff <glebius@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r240642 - in head: share/man/man4 sys/conf sys/netpfil/pf Message-ID: <201209181107.q8IB7J1C077198@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: glebius Date: Tue Sep 18 11:07:19 2012 New Revision: 240642 URL: http://svn.freebsd.org/changeset/base/240642 Log: Provide kernel compile time option to make pf(4) default rule to drop. This is important to secure a small timeframe at boot time, when network is already configured, but pf(4) is not yet. PR: kern/171622 Submitted by: Olivier Cochard-LabbИ <olivier cochard.me> Modified: head/share/man/man4/pf.4 head/sys/conf/NOTES head/sys/conf/options head/sys/netpfil/pf/pf_ioctl.c Modified: head/share/man/man4/pf.4 ============================================================================== --- head/share/man/man4/pf.4 Tue Sep 18 10:54:56 2012 (r240641) +++ head/share/man/man4/pf.4 Tue Sep 18 11:07:19 2012 (r240642) @@ -28,7 +28,7 @@ .\" .\" $FreeBSD$ .\" -.Dd June 29 2012 +.Dd September 18 2012 .Dt PF 4 .Os .Sh NAME @@ -36,6 +36,7 @@ .Nd packet filter .Sh SYNOPSIS .Cd "device pf" +.Cd "options PF_DEFAULT_TO_DROP" .Sh DESCRIPTION Packet filtering takes place in the kernel. A pseudo-device, @@ -94,6 +95,15 @@ Read only .Xr sysctl 8 variables with matching names are provided to obtain current values at runtime. +.Sh KERNEL OPTIONS +The following options in the kernel configuration file are related to +.Nm +operation: +.Pp +.Bl -tag -width ".Dv PF_DEFAULT_TO_DROP" -compact +.It Dv PF_DEFAULT_TO_DROP +Change default policy to drop by default +.El .Sh IOCTL INTERFACE .Nm supports the following Modified: head/sys/conf/NOTES ============================================================================== --- head/sys/conf/NOTES Tue Sep 18 10:54:56 2012 (r240641) +++ head/sys/conf/NOTES Tue Sep 18 11:07:19 2012 (r240642) @@ -918,6 +918,8 @@ device lagg # packets without touching the TTL). This can be useful to hide firewalls # from traceroute and similar tools. # +# PF_DEFAULT_TO_DROP causes the default pf(4) rule to deny everything. +# # TCPDEBUG enables code which keeps traces of the TCP state machine # for sockets with the SO_DEBUG option set, which can then be examined # using the trpt(8) utility. @@ -937,6 +939,7 @@ options IPFILTER_LOG #ipfilter logging options IPFILTER_LOOKUP #ipfilter pools options IPFILTER_DEFAULT_BLOCK #block all packets by default options IPSTEALTH #support for stealth forwarding +options PF_DEFAULT_TO_DROP #drop everything by default options TCPDEBUG options RADIX_MPATH Modified: head/sys/conf/options ============================================================================== --- head/sys/conf/options Tue Sep 18 10:54:56 2012 (r240641) +++ head/sys/conf/options Tue Sep 18 11:07:19 2012 (r240642) @@ -430,6 +430,7 @@ NCP NETATALK opt_atalk.h NFSLOCKD PCBGROUP opt_pcbgroup.h +PF_DEFAULT_TO_DROP opt_pf.h RADIX_MPATH opt_mpath.h ROUTETABLES opt_route.h SLIP_IFF_OPTS opt_slip.h Modified: head/sys/netpfil/pf/pf_ioctl.c ============================================================================== --- head/sys/netpfil/pf/pf_ioctl.c Tue Sep 18 10:54:56 2012 (r240641) +++ head/sys/netpfil/pf/pf_ioctl.c Tue Sep 18 11:07:19 2012 (r240642) @@ -216,7 +216,11 @@ pfattach(void) /* default rule should never be garbage collected */ V_pf_default_rule.entries.tqe_prev = &V_pf_default_rule.entries.tqe_next; +#ifdef PF_DEFAULT_TO_DROP + V_pf_default_rule.action = PF_DROP; +#else V_pf_default_rule.action = PF_PASS; +#endif V_pf_default_rule.nr = -1; V_pf_default_rule.rtableid = -1;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201209181107.q8IB7J1C077198>