From owner-svn-src-head@FreeBSD.ORG Tue Sep 18 11:07:20 2012 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 264121065672; Tue, 18 Sep 2012 11:07:20 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 103BD8FC14; Tue, 18 Sep 2012 11:07:20 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q8IB7JBf077204; Tue, 18 Sep 2012 11:07:19 GMT (envelope-from glebius@svn.freebsd.org) Received: (from glebius@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id q8IB7J1C077198; Tue, 18 Sep 2012 11:07:19 GMT (envelope-from glebius@svn.freebsd.org) Message-Id: <201209181107.q8IB7J1C077198@svn.freebsd.org> From: Gleb Smirnoff Date: Tue, 18 Sep 2012 11:07:19 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r240642 - in head: share/man/man4 sys/conf sys/netpfil/pf X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Sep 2012 11:07:20 -0000 Author: glebius Date: Tue Sep 18 11:07:19 2012 New Revision: 240642 URL: http://svn.freebsd.org/changeset/base/240642 Log: Provide kernel compile time option to make pf(4) default rule to drop. This is important to secure a small timeframe at boot time, when network is already configured, but pf(4) is not yet. PR: kern/171622 Submitted by: Olivier Cochard-LabbИ Modified: head/share/man/man4/pf.4 head/sys/conf/NOTES head/sys/conf/options head/sys/netpfil/pf/pf_ioctl.c Modified: head/share/man/man4/pf.4 ============================================================================== --- head/share/man/man4/pf.4 Tue Sep 18 10:54:56 2012 (r240641) +++ head/share/man/man4/pf.4 Tue Sep 18 11:07:19 2012 (r240642) @@ -28,7 +28,7 @@ .\" .\" $FreeBSD$ .\" -.Dd June 29 2012 +.Dd September 18 2012 .Dt PF 4 .Os .Sh NAME @@ -36,6 +36,7 @@ .Nd packet filter .Sh SYNOPSIS .Cd "device pf" +.Cd "options PF_DEFAULT_TO_DROP" .Sh DESCRIPTION Packet filtering takes place in the kernel. A pseudo-device, @@ -94,6 +95,15 @@ Read only .Xr sysctl 8 variables with matching names are provided to obtain current values at runtime. +.Sh KERNEL OPTIONS +The following options in the kernel configuration file are related to +.Nm +operation: +.Pp +.Bl -tag -width ".Dv PF_DEFAULT_TO_DROP" -compact +.It Dv PF_DEFAULT_TO_DROP +Change default policy to drop by default +.El .Sh IOCTL INTERFACE .Nm supports the following Modified: head/sys/conf/NOTES ============================================================================== --- head/sys/conf/NOTES Tue Sep 18 10:54:56 2012 (r240641) +++ head/sys/conf/NOTES Tue Sep 18 11:07:19 2012 (r240642) @@ -918,6 +918,8 @@ device lagg # packets without touching the TTL). This can be useful to hide firewalls # from traceroute and similar tools. # +# PF_DEFAULT_TO_DROP causes the default pf(4) rule to deny everything. +# # TCPDEBUG enables code which keeps traces of the TCP state machine # for sockets with the SO_DEBUG option set, which can then be examined # using the trpt(8) utility. @@ -937,6 +939,7 @@ options IPFILTER_LOG #ipfilter logging options IPFILTER_LOOKUP #ipfilter pools options IPFILTER_DEFAULT_BLOCK #block all packets by default options IPSTEALTH #support for stealth forwarding +options PF_DEFAULT_TO_DROP #drop everything by default options TCPDEBUG options RADIX_MPATH Modified: head/sys/conf/options ============================================================================== --- head/sys/conf/options Tue Sep 18 10:54:56 2012 (r240641) +++ head/sys/conf/options Tue Sep 18 11:07:19 2012 (r240642) @@ -430,6 +430,7 @@ NCP NETATALK opt_atalk.h NFSLOCKD PCBGROUP opt_pcbgroup.h +PF_DEFAULT_TO_DROP opt_pf.h RADIX_MPATH opt_mpath.h ROUTETABLES opt_route.h SLIP_IFF_OPTS opt_slip.h Modified: head/sys/netpfil/pf/pf_ioctl.c ============================================================================== --- head/sys/netpfil/pf/pf_ioctl.c Tue Sep 18 10:54:56 2012 (r240641) +++ head/sys/netpfil/pf/pf_ioctl.c Tue Sep 18 11:07:19 2012 (r240642) @@ -216,7 +216,11 @@ pfattach(void) /* default rule should never be garbage collected */ V_pf_default_rule.entries.tqe_prev = &V_pf_default_rule.entries.tqe_next; +#ifdef PF_DEFAULT_TO_DROP + V_pf_default_rule.action = PF_DROP; +#else V_pf_default_rule.action = PF_PASS; +#endif V_pf_default_rule.nr = -1; V_pf_default_rule.rtableid = -1;