Site Navigation

Date:      Wed, 9 Apr 2025 15:48:11 +0800
From:      Zhenlei Huang <zlei@FreeBSD.org>
To:        Robert Austen <robert.austen@willowglensystems.com>
Cc:        "freebsd-current@freebsd.org" <freebsd-current@freebsd.org>, "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>, Kristof Provost <kp@FreeBSD.org>, Cy Schubert <cy@freebsd.org>
Subject:   Re: pfil_default_to_drop
Message-ID:  <AE3D71CF-AF58-4F79-AF5C-6CD159C138D5@FreeBSD.org>
In-Reply-To: <QB1PPF4C719E46A03770B2C7622042A91B6EFB52@QB1PPF4C719E46A.CANPRD01.PROD.OUTLOOK.COM>
References:  <YT2PPFD8040D4DA15FF1002CDBF5DE22C41EFAA2@YT2PPFD8040D4DA.CANPRD01.PROD.OUTLOOK.COM> <YT2PPFD8040D4DA456DB44A9D2934D49D21EFAA2@YT2PPFD8040D4DA.CANPRD01.PROD.OUTLOOK.COM> <YT2PPFD8040D4DADEDA66317A6B3E7928C9EFAA2@YT2PPFD8040D4DA.CANPRD01.PROD.OUTLOOK.COM> <274BB159-3CB5-49E0-84E7-A3F4B81BFDC1@FreeBSD.org> <QB1PPF4C719E46A03770B2C7622042A91B6EFB52@QB1PPF4C719E46A.CANPRD01.PROD.OUTLOOK.COM>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

[-- Attachment #1 --]


> On Apr 9, 2025, at 1:01 AM, Robert Austen <robert.austen@willowglensystems.com> wrote:
> 
> I respectfully disagree.
> 
> PF_DEFAULT_TO_DROP has no effect if pfctl does not perform its ioctl call to enable itself, ie. to apply any hooks.
> if pfctl fails, then the hooks are left unhooked, and EVERYTHING defaults to PASS, which is not what most people would intend using PF_DEFAULT_TO_DROP.

Ahh, I see your problem. Yes, you're right. pf(4) requires ioctl ( DIOCSTART ) or netlink command to enable it.

@Kristof Maybe we also want a loader tunable to enable pf(4) on load ?

> 
> consider this: until pf or ipf or ipfw makes an ioctl to hook themselves, the pfil layer in the kernel has no idea what the filter will be,
> assuming there even is one. thus PF_DEFAULT_TO_DROP  has zero effect (and likewise the equivalents from the other filters).

As for ipfw(4), by default it enables filtering on load, unless you disable it via loader tunable `net.inet.ip.fw.enable`, `net.inet6.ip6.fw.enable` and `net.link.ether.ipfw`.

The compile option IPFIREWALL_DEFAULT_TO_ACCEPT or loader tunable `net.inet.ip.fw.default_to_accept` controls the default behavior to drop or accept.
See also https://cgit.freebsd.org/src/commit/?id=5f17ebf94db5ebbc7fdcff60e598498df6f9e2bd <https://cgit.freebsd.org/src/commit/?id=5f17ebf94db5ebbc7fdcff60e598498df6f9e2bd>; .

> 
> as I said, this is because there's no mechanism within PFIL to drop by default, which is why I proposed (and am using on my system) the PFIL_DEFAULT_TO_DROP,
> because it handles ALL of the 'no filter installed (yet)' cases. if PFIL_DEFAULT_TO_DROP isn't in the kernel config file, my patches have no effect at all,
> so it's a simple mechanism for those that want more than PF_DEFAULT_TO_DROP can ever provide.

It appears ipf(4) unconditionally enable filtering on load, and does not have any tunables to control that. CC @Cy who is more familiar with ipf(4).

> 
> thanks!
> From: Zhenlei Huang <zlei@FreeBSD.org <mailto:zlei@FreeBSD.org>>
> Sent: April 7, 2025 7:55 PM
> To: Robert Austen <robert.austen@willowglensystems.com <mailto:robert.austen@willowglensystems.com>>
> Cc: freebsd-current@freebsd.org <mailto:freebsd-current@freebsd.org> <freebsd-current@freebsd.org <mailto:freebsd-current@freebsd.org>>; freebsd-net@freebsd.org <mailto:freebsd-net@freebsd.org> <freebsd-net@freebsd.org <mailto:freebsd-net@freebsd.org>>; Kristof Provost <kp@FreeBSD.org <mailto:kp@FreeBSD.org>>
> Subject: Re: pfil_default_to_drop
>  
> You don't often get email from zlei@freebsd.org <mailto:zlei@freebsd.org>. Learn why this is important <https://aka.ms/LearnAboutSenderIdentification>;	
> 
> 
>> On Apr 8, 2025, at 6:36 AM, Robert Austen <robert.austen@willowglensystems.com <mailto:robert.austen@willowglensystems.com>> wrote:
>> 
>> 
>> 
>> From: Robert Austen <robert.austen@willowglensystems.com <mailto:robert.austen@willowglensystems.com>>
>> Sent: April 7, 2025 4:33 PM
>> To: freebsd-current@freebsd.org <mailto:freebsd-current@freebsd.org> <freebsd-current@freebsd.org <mailto:freebsd-current@freebsd.org>>; freebsd-net@freebsd.org <mailto:freebsd-net@freebsd.org> <freebsd-net@freebsd.org <mailto:freebsd-net@freebsd.org>>
>> Subject: Fw: pfil_default_to_drop
>>  
>> 
>> From: Robert Austen
>> Sent: April 7, 2025 4:21 PM
>> To: freebsd-current@freebsd.org <mailto:freebsd-current@freebsd.org> <freebsd-current@freebsd.org <mailto:freebsd-current@freebsd.org>>
>> Subject: pfil_default_to_drop
>>  
>> Hello,
>> I've been playing with FreeBSD and PF to build myself a new firewall, as Open/FreeBSD + PF seems to be a common starting point.
>> 
>> I've noticed a number of people asking questions about PF_DEFAULT_TO_DROP and the like, with the observations that it's hard
>> to ensure that packets all default to drop if the rule file(s) for whatever reason fail to load. 
> 
> Hi Robert,
> 
> So why not defining the compile option PF_DEFAULT_TO_DROP, and preload pf.ko ( via the loader(8), /boot/loader.conf ) ?
> 
> With 13.5, or upcoming 14.3 ( you can also experiment latest stable/14 ), you can turn the loader tunable net.pf.default_to_drop to 1, and preload pf.ko.
> See also https://cgit.freebsd.org/src/commit/?id=c531c1d1462c45f7ce5de4f9913226801f3073bd <https://cgit.freebsd.org/src/commit/?id=c531c1d1462c45f7ce5de4f9913226801f3073bd>; .
> 
>> 
>> After looking thru the online documentation, forums and scripts, I came to the conclusion that it's not a PF problem or IPFW etc
>> or really a problem with any of the filters or scripts, the problem is at the level of PFIL, the kernel packet filtering code: If no
>> filter is loaded, i.e. if the heads are unhooked, then PFIL sends everything thru to its destination. So my thought 
>> was to add an option PFIL_DEFAULT_TO_DROP (in essence a PFIL version of PF_DEFAULT_TO_DROP) that drops all the
>> IPv4 and IPv6 packets that would otherwise go thru the yet-to-be-loaded chosen filter (PF or whatever) at any given time the 
>> hooks are  unhooked. 
> 
> If no firewalls loaded, then the system should behave as is. I do not think PFIL_DEFAULT_TO_DROP is the right way to handle your case.
> 
>> 
>> [No one filters on local loopback nor the link layer, so I've left those hooks untouched. I suppose one could add them,
>> maybe PFIL_DEFAULT_LOCAL_TO_DROP or PFIL_DEFAULT_LINK_TO_DROP, but I doubt there's much demand for it.]
>> 
>> Normally I'm an embedded linux kernel basher.
>> I'm not entirely sure where to send this patch. Most of the threads asking the above PF questions are closed to changes,
>> so that doesn't seem a good place. Sir Dice seems to be a common answerer of questions; I would have sent it to him/her 
>> if I could...
>> 
>> I'm not a user of GIT, so I'm not sure how to submit a "GIT formatted patch"...
>> I've simply diff -rdpNU 5 a copy of the @old folder with a copy of @new folder. The code was written against FreeBSD-14.1-RELEASE-amd64,
>> but I suspect the kernel code in the networking core doesn't change much from platform to platform, or version to version.
>> 
>> But it works, it's pretty simple, pretty small and so just in case it might be useful, I'm passing it along.
>> 
>> thanks!
>> 
>> 
>> Robert
>> 
>> 
>> 
>> 
>> <FreeBSD-14.1-RELEASE-amd64-pfil_default_to_drop.patch.zip>




[-- Attachment #2 --]
<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Apr 9, 2025, at 1:01 AM, Robert Austen &lt;<a href="mailto:robert.austen@willowglensystems.com" class="">robert.austen@willowglensystems.com</a>&gt; wrote:</div><br class="Apple-interchange-newline"><div class=""><meta charset="UTF-8" class=""><div class="elementToProof" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;">I respectfully disagree.</div><div class="elementToProof" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;"><br class=""></div><div class="elementToProof" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;">PF_DEFAULT_TO_DROP has no effect if pfctl does not perform its ioctl call to enable itself, ie. to apply any hooks.</div><div class="elementToProof" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;">if pfctl fails, then the hooks are left unhooked, and EVERYTHING defaults to PASS, which is not what most people would intend using PF_DEFAULT_TO_DROP.</div></div></blockquote><div><br class=""></div><div>Ahh, I see your problem. Yes, you're right. pf(4) requires ioctl (&nbsp;DIOCSTART ) or netlink command to enable it.</div><div><br class=""></div><div>@Kristof Maybe we also want a loader tunable to enable pf(4) on load ?</div><br class=""><blockquote type="cite" class=""><div class=""><div class="elementToProof" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;"><br class=""></div><div class="elementToProof" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;">consider this: until pf or ipf or ipfw makes an ioctl to hook themselves, the pfil layer in the kernel has no idea what the filter will be,</div><div class="elementToProof" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;">assuming there even is one. thus PF_DEFAULT_TO_DROP &nbsp;has zero effect (and likewise the equivalents from the other filters).</div></div></blockquote><div><br class=""></div><div>As for ipfw(4), by default it enables filtering on load, unless you disable it via loader tunable `net.inet.ip.fw.enable`, `net.inet6.ip6.fw.enable` and `net.link.ether.ipfw`.</div><div><br class=""></div><div>The compile option&nbsp;IPFIREWALL_DEFAULT_TO_ACCEPT or loader tunable `net.inet.ip.fw.default_to_accept` controls the default behavior to drop or accept.</div><div>See also&nbsp;<a href="https://cgit.freebsd.org/src/commit/?id=5f17ebf94db5ebbc7fdcff60e598498df6f9e2bd" class="">https://cgit.freebsd.org/src/commit/?id=5f17ebf94db5ebbc7fdcff60e598498df6f9e2bd</a>&nbsp;.</div><br class=""><blockquote type="cite" class=""><div class=""><div class="elementToProof" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;"><br class=""></div><div class="elementToProof" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;">as I said, this is because there's no mechanism within PFIL to drop by default, which is why I proposed (and am using on my system) the PFIL_DEFAULT_TO_DROP,</div><div class="elementToProof" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;">because it handles ALL of the 'no filter installed (yet)' cases. if PFIL_DEFAULT_TO_DROP isn't in the kernel config file, my patches have no effect at all,</div><div class="elementToProof" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;">so it's a simple mechanism for those that want more than PF_DEFAULT_TO_DROP can ever provide.</div></div></blockquote><div><br class=""></div><div>It appears ipf(4) unconditionally enable filtering on load, and does not have any tunables to control that. CC @Cy who is more familiar with ipf(4).</div><br class=""><blockquote type="cite" class=""><div class=""><div class="elementToProof" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;"><br class=""></div><div class="elementToProof" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;">thanks!</div><div id="appendonsend" style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 13px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""></div><hr tabindex="-1" style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 13px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; display: inline-block; width: 563.5px;" class=""><span style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 13px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; float: none; display: inline !important;" class=""></span><div id="divRplyFwdMsg" dir="ltr" style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 13px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class=""><font face="Calibri, sans-serif" style="font-size: 11pt;" class=""><b class="">From:</b><span class="Apple-converted-space">&nbsp;</span>Zhenlei Huang &lt;<a href="mailto:zlei@FreeBSD.org" class="">zlei@FreeBSD.org</a>&gt;<br class=""><b class="">Sent:</b><span class="Apple-converted-space">&nbsp;</span>April 7, 2025 7:55 PM<br class=""><b class="">To:</b><span class="Apple-converted-space">&nbsp;</span>Robert Austen &lt;<a href="mailto:robert.austen@willowglensystems.com" class="">robert.austen@willowglensystems.com</a>&gt;<br class=""><b class="">Cc:</b><span class="Apple-converted-space">&nbsp;</span><a href="mailto:freebsd-current@freebsd.org" class="">freebsd-current@freebsd.org</a><span class="Apple-converted-space">&nbsp;</span>&lt;<a href="mailto:freebsd-current@freebsd.org" class="">freebsd-current@freebsd.org</a>&gt;;<span class="Apple-converted-space">&nbsp;</span><a href="mailto:freebsd-net@freebsd.org" class="">freebsd-net@freebsd.org</a><span class="Apple-converted-space">&nbsp;</span>&lt;<a href="mailto:freebsd-net@freebsd.org" class="">freebsd-net@freebsd.org</a>&gt;; Kristof Provost &lt;<a href="mailto:kp@FreeBSD.org" class="">kp@FreeBSD.org</a>&gt;<br class=""><b class="">Subject:</b><span class="Apple-converted-space">&nbsp;</span>Re: pfil_default_to_drop</font><div class="">&nbsp;</div></div><div class="" style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 13px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none; word-wrap: break-word; line-break: after-white-space;"><table border="0" cellspacing="0" cellpadding="0" width="100%" align="left" style="background-image: revert !important; background-size: revert !important; background-attachment: revert !important; background-origin: revert !important; background-clip: revert !important; background-color: revert !important; bottom: revert !important; color: revert !important; direction: revert !important; font-size: revert !important; height: revert !important; letter-spacing: revert !important; line-height: revert !important; margin: revert !important; opacity: revert !important; order: revert !important; outline: revert !important; overflow: revert !important; padding: revert !important; position: revert !important; tab-size: revert !important; text-align: revert !important; text-indent: revert !important; text-orientation: revert !important; text-overflow: revert !important; text-transform: revert !important; top: revert !important; vertical-align: revert !important; visibility: revert !important; white-space: revert !important; word-break: revert !important; word-spacing: revert !important; writing-mode: revert !important; zoom: revert !important; border: 0px !important; display: table !important; width: 575px; table-layout: fixed !important; float: none !important; border-spacing: 0px !important; background-position: revert !important; background-repeat: revert !important;" class=""><tbody style="background-image: revert !important; background-size: revert !important; background-attachment: revert !important; background-origin: revert !important; background-clip: revert !important; background-color: revert !important; border: revert !important; bottom: revert !important; color: revert !important; direction: revert !important; font-size: revert !important; height: revert !important; letter-spacing: revert !important; line-height: revert !important; margin: revert !important; opacity: revert !important; order: revert !important; outline: revert !important; overflow: revert !important; padding: revert !important; position: revert !important; tab-size: revert !important; table-layout: revert !important; text-align: revert !important; text-indent: revert !important; text-orientation: revert !important; text-overflow: revert !important; text-transform: revert !important; top: revert !important; vertical-align: revert !important; visibility: revert !important; white-space: revert !important; width: revert !important; word-break: revert !important; word-spacing: revert !important; writing-mode: revert !important; zoom: revert !important; display: block !important; background-position: revert !important; background-repeat: revert !important;" class=""><tr style="background-image: revert !important; background-size: revert !important; background-attachment: revert !important; background-origin: revert !important; background-clip: revert !important; background-color: revert !important; border: revert !important; bottom: revert !important; color: revert !important; direction: revert !important; display: revert !important; font-size: revert !important; height: revert !important; letter-spacing: revert !important; line-height: revert !important; margin: revert !important; opacity: revert !important; order: revert !important; outline: revert !important; overflow: revert !important; padding: revert !important; position: revert !important; tab-size: revert !important; table-layout: revert !important; text-align: revert !important; text-indent: revert !important; text-orientation: revert !important; text-overflow: revert !important; text-transform: revert !important; top: revert !important; vertical-align: revert !important; visibility: revert !important; white-space: revert !important; width: revert !important; word-break: revert !important; word-spacing: revert !important; writing-mode: revert !important; zoom: revert !important; background-position: revert !important; background-repeat: revert !important;" class=""><td valign="middle" width="1px" bgcolor="#A6A6A6" cellpadding="7px 2px 7px 2px" style="background-image: revert !important; background-size: revert !important; background-attachment: revert !important; background-origin: revert !important; background-clip: revert !important; border: revert !important; bottom: revert !important; color: revert !important; direction: revert !important; display: revert !important; font-size: revert !important; height: revert !important; letter-spacing: revert !important; line-height: revert !important; margin: revert !important; opacity: revert !important; order: revert !important; outline: revert !important; overflow: revert !important; position: revert !important; tab-size: revert !important; table-layout: revert !important; text-align: revert !important; text-indent: revert !important; text-orientation: revert !important; text-overflow: revert !important; text-transform: revert !important; top: revert !important; vertical-align: revert !important; visibility: revert !important; white-space: revert !important; word-break: revert !important; word-spacing: revert !important; writing-mode: revert !important; zoom: revert !important; padding: 7px 2px !important; background-color: rgb(166, 166, 166) !important; width: 0px !important; background-position: revert !important; background-repeat: revert !important;" class=""></td><td valign="middle" width="100%" bgcolor="#EAEAEA" cellpadding="7px 5px 7px 15px" style="background-image: revert !important; background-size: revert !important; background-attachment: revert !important; background-origin: revert !important; background-clip: revert !important; border: revert !important; bottom: revert !important; direction: revert !important; display: revert !important; height: revert !important; letter-spacing: revert !important; line-height: revert !important; margin: revert !important; opacity: revert !important; order: revert !important; outline: revert !important; overflow: revert !important; position: revert !important; tab-size: revert !important; table-layout: revert !important; text-indent: revert !important; text-orientation: revert !important; text-overflow: revert !important; text-transform: revert !important; top: revert !important; vertical-align: revert !important; visibility: revert !important; white-space: revert !important; word-break: revert !important; word-spacing: revert !important; writing-mode: revert !important; zoom: revert !important; width: 541px; background-color: rgb(234, 234, 234) !important; padding: 7px 5px 7px 15px !important; font-family: wf_segoe-ui_normal, &quot;Segoe UI&quot;, &quot;Segoe WP&quot;, Tahoma, Arial, sans-serif !important; font-size: 12px !important; font-weight: normal !important; color: rgb(33, 33, 33) !important; text-align: left !important; word-wrap: break-word !important; background-position: revert !important; background-repeat: revert !important;" class=""><div style="background-image: revert !important; background-size: revert !important; background-attachment: revert !important; background-origin: revert !important; background-clip: revert !important; background-color: revert !important; border: revert !important; bottom: revert !important; color: revert !important; direction: revert !important; display: revert !important; font-size: revert !important; height: revert !important; letter-spacing: revert !important; line-height: revert !important; margin: revert !important; opacity: revert !important; order: revert !important; outline: revert !important; overflow: revert !important; padding: revert !important; position: revert !important; tab-size: revert !important; table-layout: revert !important; text-align: revert !important; text-indent: revert !important; text-orientation: revert !important; text-overflow: revert !important; text-transform: revert !important; top: revert !important; vertical-align: revert !important; visibility: revert !important; white-space: revert !important; width: revert !important; word-break: revert !important; word-spacing: revert !important; writing-mode: revert !important; zoom: revert !important; background-position: revert !important; background-repeat: revert !important;" class="">You don't often get email from<span class="Apple-converted-space">&nbsp;</span><a href="mailto:zlei@freebsd.org" class="">zlei@freebsd.org</a>.<span class="Apple-converted-space">&nbsp;</span><a href="https://aka.ms/LearnAboutSenderIdentification" style="background-image: revert !important; background-size: revert !important; background-attachment: revert !important; background-origin: revert !important; background-clip: revert !important; background-color: revert !important; color: revert !important; direction: revert !important; display: revert !important; font-size: revert !important; opacity: revert !important; visibility: revert !important; background-position: revert !important; background-repeat: revert !important;" class="">Learn why this is important</a></div></td><td valign="middle" align="left" width="75px" bgcolor="#EAEAEA" cellpadding="7px 5px 7px 5px" style="background-image: revert !important; background-size: revert !important; background-attachment: revert !important; background-origin: revert !important; background-clip: revert !important; border: revert !important; bottom: revert !important; direction: revert !important; display: revert !important; height: revert !important; letter-spacing: revert !important; line-height: revert !important; margin: revert !important; opacity: revert !important; order: revert !important; outline: revert !important; overflow: revert !important; position: revert !important; tab-size: revert !important; table-layout: revert !important; text-indent: revert !important; text-orientation: revert !important; text-overflow: revert !important; text-transform: revert !important; top: revert !important; vertical-align: revert !important; visibility: revert !important; white-space: revert !important; word-break: revert !important; word-spacing: revert !important; writing-mode: revert !important; zoom: revert !important; width: 75px !important; background-color: rgb(234, 234, 234) !important; padding: 7px 5px !important; font-family: wf_segoe-ui_normal, &quot;Segoe UI&quot;, &quot;Segoe WP&quot;, Tahoma, Arial, sans-serif !important; font-size: 12px !important; font-weight: normal !important; color: rgb(33, 33, 33) !important; text-align: left !important; word-wrap: break-word !important; background-position: revert !important; background-repeat: revert !important;" class=""></td></tr></tbody></table><div class=""><br class=""><div class=""><br class=""><blockquote type="cite" class=""><div class="">On Apr 8, 2025, at 6:36 AM, Robert Austen &lt;<a href="mailto:robert.austen@willowglensystems.com" class="">robert.austen@willowglensystems.com</a>&gt; wrote:</div><br class="x_Apple-interchange-newline"><div class=""><div class="" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;"><br class="x_Apple-interchange-newline"><br class=""></div><div id="x_appendonsend" class="" style="font-family: Helvetica; font-size: 13px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none;"></div><hr class="" style="font-family: Helvetica; font-size: 13px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; display: inline-block; width: 576.234375px;"><span class="" style="font-family: Helvetica; font-size: 13px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; float: none; display: inline !important;"></span><div dir="ltr" id="x_divRplyFwdMsg" class="" style="font-family: Helvetica; font-size: 13px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none;"><span class="" style="font-family: Calibri, sans-serif; font-size: 11pt;"><b class="">From:</b>&nbsp;Robert Austen &lt;<a href="mailto:robert.austen@willowglensystems.com" class="">robert.austen@willowglensystems.com</a>&gt;<br class=""><b class="">Sent:</b>&nbsp;April 7, 2025 4:33 PM<br class=""><b class="">To:</b>&nbsp;<a href="mailto:freebsd-current@freebsd.org" class="">freebsd-current@freebsd.org</a><span class="x_Apple-converted-space">&nbsp;</span>&lt;<a href="mailto:freebsd-current@freebsd.org" class="">freebsd-current@freebsd.org</a>&gt;;<span class="x_Apple-converted-space">&nbsp;</span><a href="mailto:freebsd-net@freebsd.org" class="">freebsd-net@freebsd.org</a><span class="x_Apple-converted-space">&nbsp;</span>&lt;<a href="mailto:freebsd-net@freebsd.org" class="">freebsd-net@freebsd.org</a>&gt;<br class=""><b class="">Subject:</b>&nbsp;Fw: pfil_default_to_drop</span><div class="">&nbsp;</div></div><div class="" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;"><br class=""></div><div id="x_x_appendonsend" class="" style="font-family: Helvetica; font-size: 13px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none;"></div><hr class="" style="font-family: Helvetica; font-size: 13px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; direction: ltr; display: inline-block; width: 576.234375px;"><span class="" style="font-family: Helvetica; font-size: 13px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; float: none; display: inline !important;"></span><div dir="ltr" id="x_x_divRplyFwdMsg" class="" style="font-family: Helvetica; font-size: 13px; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none;"><span class="" style="font-family: Calibri, sans-serif; font-size: 11pt;"><b class="">From:</b>&nbsp;Robert Austen<br class=""><b class="">Sent:</b>&nbsp;April 7, 2025 4:21 PM<br class=""><b class="">To:</b>&nbsp;<a href="mailto:freebsd-current@freebsd.org" class="">freebsd-current@freebsd.org</a><span class="x_Apple-converted-space">&nbsp;</span>&lt;<a href="mailto:freebsd-current@freebsd.org" class="">freebsd-current@freebsd.org</a>&gt;<br class=""><b class="">Subject:</b>&nbsp;pfil_default_to_drop</span><div class="">&nbsp;</div></div><div class="" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;">Hello,</div><div class="" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;">I've been playing with FreeBSD and PF to build myself a new firewall, as Open/FreeBSD + PF seems to be a common starting point.</div><div class="" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;"><br class=""></div><div class="" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;">I've noticed a number of people asking questions about PF_DEFAULT_TO_DROP and the like, with the observations that it's hard</div><div class="" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;">to ensure that packets all default to drop if the rule file(s) for whatever reason fail to load.&nbsp;</div></div></blockquote><div class=""><br class=""></div><div class="">Hi Robert,</div><div class=""><br class=""></div><div class="">So why not defining the compile option&nbsp;PF_DEFAULT_TO_DROP, and preload&nbsp;<span class="" style="">pf.ko ( via the loader(8),&nbsp;</span><span class="" style="">/boot/loader.conf ) ?</span></div><div class=""><span class="" style=""><br class=""></span></div><div class=""><font class="">With 13.5, or upcoming 14.3 ( you can also&nbsp;experiment latest stable/14 ), you can<span class="Apple-converted-space">&nbsp;</span></font><span class="" style="">turn the loader tunable&nbsp;net.pf.default_to_drop to 1, and&nbsp;</span><span class="" style="">preload&nbsp;</span><span class="" style="">pf.ko.</span></div><div class="">See also&nbsp;<a href="https://cgit.freebsd.org/src/commit/?id=c531c1d1462c45f7ce5de4f9913226801f3073bd" class="">https://cgit.freebsd.org/src/commit/?id=c531c1d1462c45f7ce5de4f9913226801f3073bd</a>&nbsp;.</div><div class=""><br class=""></div><blockquote type="cite" class=""><div class=""><div class="" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;"><br class=""></div><div class="" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;">After looking thru the online documentation, forums and scripts, I came to the conclusion that it's not a PF problem or IPFW etc</div><div class="" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;">or really a problem with any of the filters or scripts, the problem is at the level of PFIL, the kernel packet filtering code: If no</div><div class="" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;">filter is loaded, i.e. if the heads are unhooked, then PFIL sends<span class="x_Apple-converted-space">&nbsp;</span><b class="">everything</b>&nbsp;thru to its destination. So my thought&nbsp;</div><div class="" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;">was to add an option PFIL_DEFAULT_TO_DROP (in essence a PFIL version of PF_DEFAULT_TO_DROP) that drops all the</div><div class="" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;">IPv4 and IPv6 packets that would otherwise go thru the yet-to-be-loaded chosen filter (PF or whatever) at any given time the&nbsp;</div><div class="" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;">hooks are&nbsp; unhooked.&nbsp;</div></div></blockquote><div class=""><br class=""></div><div class="">If no firewalls loaded, then the system should behave as is. I do not think&nbsp;PFIL_DEFAULT_TO_DROP is the right way to handle your case.</div><br class=""><blockquote type="cite" class=""><div class=""><div class="" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;"><br class=""></div><div class="" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;">[No one filters on local loopback nor the link layer, so I've left those hooks untouched. I suppose one could add them,</div><div class="" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;">maybe PFIL_DEFAULT_LOCAL_TO_DROP or PFIL_DEFAULT_LINK_TO_DROP, but I doubt there's much demand for it.]</div><div class="" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;"><br class=""></div><div class="" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;">Normally I'm an embedded linux kernel basher.</div><div class="" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; direction: ltr; text-align: left; margin: 0px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;">I'm not entirely sure where to send this patch. Most of the threads asking the above PF questions are closed to changes,</div><div class="" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; direction: ltr; text-align: left; margin: 0px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;">so that doesn't seem a good place. Sir Dice seems to be a common answerer of questions; I would have sent it to him/her&nbsp;</div><div class="" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; direction: ltr; text-align: left; margin: 0px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;">if I could...</div><div class="" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; direction: ltr; text-align: left; margin: 0px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;"><br class=""></div><div class="" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;">I'm not a user of GIT, so I'm not sure how to submit a "GIT formatted patch"...</div><div class="" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;">I've simply diff -rdpNU 5 a copy of the @old folder with a copy of @new folder. The code was written against FreeBSD-14.1-RELEASE-amd64,</div><div class="" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;">but I suspect the kernel code in the networking core doesn't change much from platform to platform, or version to version.</div><div class="" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; direction: ltr; text-align: left; margin: 0px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;"><br class=""></div><div class="" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; direction: ltr; text-align: left; margin: 0px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;">But it works, it's pretty simple, pretty small and so just in case it might be useful, I'm passing it along.</div><div class="" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; direction: ltr; text-align: left; margin: 0px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;"><br class=""></div><div class="" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; direction: ltr; text-align: left; margin: 0px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;">thanks!</div><div class="" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; direction: ltr; text-align: left; margin: 0px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;"><br class=""></div><div class="" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; direction: ltr; text-align: left; margin: 0px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;"><br class=""></div><div class="" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; direction: ltr; text-align: left; margin: 0px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;">Robert</div><div class="" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;"><br class=""></div><div class="" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; direction: ltr; text-align: left; margin: 0px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;"><br class=""></div><div class="" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;"><br class=""></div><div class="" style="font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; text-decoration: none; direction: ltr; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt;"><br class=""></div><span id="x_cid:EF978BA5-1323-4E87-B14E-03A449683C8A" class="">&lt;FreeBSD-14.1-RELEASE-amd64-pfil_default_to_drop.patch.zip&gt;</span></div></blockquote></div></div></div></div></blockquote></div><br class=""><div class="">
<div><br class=""></div>

</div>
<br class=""></body></html>

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AE3D71CF-AF58-4F79-AF5C-6CD159C138D5>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact