From nobody Mon Jan 5 20:02:58 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dlQFv4XBXz6MyYK for ; Mon, 05 Jan 2026 20:02:59 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dlQFv0Z09z3K7Q for ; Mon, 05 Jan 2026 20:02:59 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1767643379; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=lw9pmShxau3pdNDCCXyN7K8zILccoNczYtrV6od4/qA=; b=hjV6KCsmkf5tUO7RQbCejRAlf07TL4yC0rC5zZ32royWWeu0zOI2JuPh/ugsuoKEapCvQC 06b1RfnKp9cZQHI+XzphgBa/ALR8IK+B+dEs9OsUvS/vnQp9wGKFhUSDf3MAnM1WTyqfvH wMxM8LHLBfjKgRIKbkcNowsiPZzGTNyTBkIBhEino0ycsmas22xkc3vELjibQ8oi6X80sv mVvLwJL9yQe8mttDUg5weci3Ji7tc2yD57/NZST+FcdRF19dwe9QpU88JDitszmFGWUgct 1LeeTx5duXBYFv4gytpuhkUIDRPQAY/qKbeh0mZuMVU9GjX/59oigV1zikN/Mw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1767643379; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=lw9pmShxau3pdNDCCXyN7K8zILccoNczYtrV6od4/qA=; b=ayPMq6ADJJbgWAZsCkCaAk4G0fcQi8xgMofoh0Z/cc7xOMTqcVH+hFnKOQcm5xTuNQRoOK Vtu3RcGZgf2qOgIa8OGNCI0Hn6+gZoJfynjvuuBL8vD7PVpKUKWwMcU4Pg5FxrCJ/R3eEn dqn2dsq8UHxtMtHAwwD7OGWLfKZ2ezPyVZYAKlVmbzOn9P1f1XBsv0tHVSArD6wjL3Jj7t bo739ii9lYS4OraRSVzdx42v4rkW9jCvGMb1gjuRwKmsbgZEJQWSgZWEtKTNGABp13rQiY tQ0wns2qRLCOO9RJc7F9RYRCbk29SjRD0k/Nj6B65olB/zVDcXA3A/VkjGVJtw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1767643379; a=rsa-sha256; cv=none; b=LrwcZ29K17F1YFGBG4bWsXL9kFiP4U1eE1f6Olx9Cm7iKr1piaZJUpsKxT7xgT6ZZJ5KbR 2TNlI+TPDBRtU2chnIAV6hREHBwSa4ry5oWI4bSzi0jujbiLmaP99pDuQUNGisEkDV+9/g dQEJvI/gwg3eylL5Wj1hleY5/Cb8mrFKUVTDzzh65qhdwmond/D81UR/gdeZTSlIoZ2fMZ SoosD+Qez9qiElHPHUKe3KXuj6wRtw76ME8v3k+c6wo0nuvnfvPMoYWa0TMx0fZzbDFwbq FXQA/aPDr1OSL6oaxnGue5dAzDSA2DLwKtxBU0liDVILpOnEd2JvFDkdmslZzg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4dlQFv037NzbyP for ; Mon, 05 Jan 2026 20:02:59 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 8594 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Mon, 05 Jan 2026 20:02:58 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Cy Schubert Subject: git: 55ea321fe65e - stable/13 - ipfilter: Disable ipfs(8) by default List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: cy X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 55ea321fe65ee438e237543c95ce7e6c0329e907 Auto-Submitted: auto-generated Date: Mon, 05 Jan 2026 20:02:58 +0000 Message-Id: <695c18f2.8594.18a2e648@gitrepo.freebsd.org> The branch stable/13 has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=55ea321fe65ee438e237543c95ce7e6c0329e907 commit 55ea321fe65ee438e237543c95ce7e6c0329e907 Author: Cy Schubert AuthorDate: 2025-11-16 07:39:19 +0000 Commit: Cy Schubert CommitDate: 2026-01-05 03:40:11 +0000 ipfilter: Disable ipfs(8) by default At the moment ipfs(8) is a tool that can be easily abused. Though the concept is sound the implementation needs some work. ipfs(8) should be considered experimental at the moment. This commit also makes ipfs support in the kernel optional. Reviewed by: emaste, glebius MFC after: 1 week Differential revision: https://reviews.freebsd.org/D53787 (cherry picked from commit 0ff0c19e7f70bc4d3f98196a8ad43de635cf13e5) --- sbin/ipf/Makefile | 6 +++++- share/mk/src.opts.mk | 1 + sys/conf/NOTES | 1 + sys/conf/options | 1 + sys/modules/ipfilter/Makefile | 6 ++++++ sys/netpfil/ipfilter/netinet/ip_nat.c | 5 ++++- sys/netpfil/ipfilter/netinet/ip_state.c | 4 ++++ tools/build/mk/OptionalObsoleteFiles.inc | 4 ++++ 8 files changed, 26 insertions(+), 2 deletions(-) diff --git a/sbin/ipf/Makefile b/sbin/ipf/Makefile index 32cead444f77..b64b09584b48 100644 --- a/sbin/ipf/Makefile +++ b/sbin/ipf/Makefile @@ -1,6 +1,10 @@ +.include SUBDIR= libipf .WAIT -SUBDIR+= ipf ipfs ipfstat ipmon ipnat ippool +SUBDIR+= ipf ipfstat ipmon ipnat ippool +.if ${MK_IPFILTER_IPFS} != "no" +SUBDIR+= ipfs +.endif # XXX Temporarily disconnected. # SUBDIR+= ipftest ipresend ipsend SUBDIR_PARALLEL= diff --git a/share/mk/src.opts.mk b/share/mk/src.opts.mk index dbc0cf31671f..6a4b03b1a8bc 100644 --- a/share/mk/src.opts.mk +++ b/share/mk/src.opts.mk @@ -205,6 +205,7 @@ __DEFAULT_NO_OPTIONS = \ DTRACE_TESTS \ EXPERIMENTAL \ HESIOD \ + IPFILTER_IPFS \ LIBSOFT \ LLVM_ASSERTIONS \ LLVM_BINUTILS \ diff --git a/sys/conf/NOTES b/sys/conf/NOTES index 46800301657a..f112e2124130 100644 --- a/sys/conf/NOTES +++ b/sys/conf/NOTES @@ -1019,6 +1019,7 @@ options IPFILTER #ipfilter support options IPFILTER_LOG #ipfilter logging options IPFILTER_LOOKUP #ipfilter pools options IPFILTER_DEFAULT_BLOCK #block all packets by default +options IPFILTER_IPFS #enable experimental ipfs(8) support options IPSTEALTH #support for stealth forwarding options PF_DEFAULT_TO_DROP #drop everything by default options TCPDEBUG diff --git a/sys/conf/options b/sys/conf/options index a62380b1efe2..9d1942f266fc 100644 --- a/sys/conf/options +++ b/sys/conf/options @@ -430,6 +430,7 @@ IPFILTER opt_ipfilter.h IPFILTER_DEFAULT_BLOCK opt_ipfilter.h IPFILTER_LOG opt_ipfilter.h IPFILTER_LOOKUP opt_ipfilter.h +IPFILTER_IPFS opt_ipfilter.h IPFIREWALL opt_ipfw.h IPFIREWALL_DEFAULT_TO_ACCEPT opt_ipfw.h IPFIREWALL_NAT opt_ipfw.h diff --git a/sys/modules/ipfilter/Makefile b/sys/modules/ipfilter/Makefile index 8303cbba9c1a..ea3b44d0501c 100644 --- a/sys/modules/ipfilter/Makefile +++ b/sys/modules/ipfilter/Makefile @@ -1,3 +1,4 @@ +.include .PATH: ${SRCTOP}/sys/netpfil/ipfilter/netinet @@ -10,6 +11,11 @@ SRCS+= opt_bpf.h opt_inet6.h CFLAGS+= -I${SRCTOP}/sys/netpfil/ipfilter CFLAGS+= -DIPFILTER=1 -DIPFILTER_LKM -DIPFILTER_LOG -DIPFILTER_LOOKUP + +.if ${MK_IPFILTER_IPFS} != "no" +CFLAGS+= -DIPFILTER_IPFS +.endif + # # If you don't want log functionality remove -DIPFILTER_LOG # diff --git a/sys/netpfil/ipfilter/netinet/ip_nat.c b/sys/netpfil/ipfilter/netinet/ip_nat.c index 4a2f9ec05479..443e9d49355a 100644 --- a/sys/netpfil/ipfilter/netinet/ip_nat.c +++ b/sys/netpfil/ipfilter/netinet/ip_nat.c @@ -1344,6 +1344,7 @@ ipf_nat_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd, error = ipf_proxy_ioctl(softc, data, cmd, mode, ctx); break; +#ifdef IPFILTER_IPFS case SIOCSTLCK : if (!(mode & FWRITE)) { IPFERROR(60015); @@ -1379,6 +1380,7 @@ ipf_nat_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd, error = EACCES; } break; +#endif /* IPFILTER_IPFS */ case SIOCGENITER : { @@ -1686,7 +1688,7 @@ ipf_nat_siocdelnat(ipf_main_softc_t *softc, ipf_nat_softc_t *softn, ipnat_t *n, } } - +#ifdef IPFILTER_IPFS /* ------------------------------------------------------------------------ */ /* Function: ipf_nat_getsz */ /* Returns: int - 0 == success, != 0 is the error value. */ @@ -2254,6 +2256,7 @@ junkput: } return (error); } +#endif /* IPFILTER_IPFS */ /* ------------------------------------------------------------------------ */ diff --git a/sys/netpfil/ipfilter/netinet/ip_state.c b/sys/netpfil/ipfilter/netinet/ip_state.c index e2ab064e5058..4514e77e9bb2 100644 --- a/sys/netpfil/ipfilter/netinet/ip_state.c +++ b/sys/netpfil/ipfilter/netinet/ip_state.c @@ -713,6 +713,7 @@ ipf_state_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd, IPFOBJ_STATESTAT); break; +#ifdef IPFILTER_IPFS /* * Lock/Unlock the state table. (Locking prevents any changes, which * means no packets match). @@ -749,6 +750,7 @@ ipf_state_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd, } error = ipf_state_getent(softc, softs, data); break; +#endif /* IPFILTER_IPFS */ case SIOCGENITER : { @@ -805,6 +807,7 @@ ipf_state_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd, } +#ifdef IPFILTER_IPFS /* ------------------------------------------------------------------------ */ /* Function: ipf_state_getent */ /* Returns: int - 0 == success, != 0 == failure */ @@ -1009,6 +1012,7 @@ ipf_state_putent(ipf_main_softc_t *softc, ipf_state_softc_t *softs, return (error); } +#endif /* IPFILTER_IPFS */ /* ------------------------------------------------------------------------ */ diff --git a/tools/build/mk/OptionalObsoleteFiles.inc b/tools/build/mk/OptionalObsoleteFiles.inc index 5e5d83456ce3..9bf054570106 100644 --- a/tools/build/mk/OptionalObsoleteFiles.inc +++ b/tools/build/mk/OptionalObsoleteFiles.inc @@ -2752,6 +2752,10 @@ OLD_FILES+=usr/share/man/man8/ipnat.8.gz OLD_FILES+=usr/share/man/man8/ippool.8.gz .endif +.if ${MK_IPFILTER_IPFS} == no +OLD_FILES+=sbin/ipfs +.endif + .if ${MK_IPFW} == no OLD_FILES+=etc/rc.d/ipfw OLD_FILES+=etc/periodic/security/500.ipfwdenied