Date: Thu, 8 Jul 2021 14:23:16 GMT From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 28f47a199cfd - main - pf: fallback if $pf_rules fails to load Message-ID: <202107081423.168ENGr6019475@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=28f47a199cfd8749ab30a0327b0a3f8977ec2b43 commit 28f47a199cfd8749ab30a0327b0a3f8977ec2b43 Author: Thomas Steen Rasmussen <thomas@gibfest.dk> AuthorDate: 2021-06-16 18:29:06 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2021-07-08 12:22:04 +0000 pf: fallback if $pf_rules fails to load Support loading a default pf ruleset in case of invalid pf.conf. If no pf rules are loaded pf will pass/allow all traffic, assuming the kernel is compiled without PF_DEFAULT_TO_DROP, as is the case in GENERIC. In other words: if there's a typo in the main pf_rules we would allow all traffic. The new default rules minimise the impact of this. If $pf_program (i.e. pfctl) fails to set $pf_fules and $pf_fallback_rules_enable is YES we will load $pf_fallback_rules_file if set, or $pf_fallback_rules. $pf_fallback_rules can include multiple rules, for example to permit traffic on a management interface. $pf_fallback_rules_enable defaults to "NO", preserving historic behaviour. man page changes by ceri@. PR: 256410 Reviewed by: donner, kp Sponsored by: semaphor.dk Differential Revision: https://reviews.freebsd.org/D30791 --- libexec/rc/rc.conf | 5 +++++ libexec/rc/rc.d/pf | 19 ++++++++++++++++++- share/man/man5/rc.conf.5 | 38 +++++++++++++++++++++++++++++++++++++- 3 files changed, 60 insertions(+), 2 deletions(-) diff --git a/libexec/rc/rc.conf b/libexec/rc/rc.conf index 9fdc4d9d8636..b392dae9ae6c 100644 --- a/libexec/rc/rc.conf +++ b/libexec/rc/rc.conf @@ -224,6 +224,11 @@ pf_rules="/etc/pf.conf" # rules definition file for pf (nonexistent # by default) pf_program="/sbin/pfctl" # where the pfctl program lives pf_flags="" # additional flags for pfctl +pf_fallback_rules_enable="NO" # fallback if loading ruleset fails +pf_fallback_rules="block drop log all" # rules to load on pf ruleset failure +#pf_fallback_rules="block drop log all +#pass quick on em4" # multi-rule +pf_fallback_rules_file="/etc/pf-fallback.conf" # rules file on ruleset failure pflog_enable="NO" # Set to YES to enable packet filter logging pflog_logfile="/var/log/pflog" # where pflogd should store the logfile pflog_program="/sbin/pflogd" # where the pflogd program lives diff --git a/libexec/rc/rc.d/pf b/libexec/rc/rc.d/pf index 1f7394007667..fa1b49643cc5 100755 --- a/libexec/rc/rc.d/pf +++ b/libexec/rc/rc.d/pf @@ -23,11 +23,28 @@ extra_commands="check reload resync" required_files="$pf_rules" required_modules="pf" +pf_fallback() +{ + warn "Unable to load $pf_rules." + + if ! checkyesno pf_fallback_rules_enable; then + return + fi + + if [ -f $pf_fallback_rules_file ]; then + warn "Loading fallback rules file: $pf_fallback_rules_file" + $pf_program -f "$pf_fallback_rules_file" $pf_flags + else + warn "Loading fallback rules: $pf_fallback_rules" + echo $pf_fallback_rules | $pf_program -f - $pf_flags + fi +} + pf_start() { check_startmsgs && echo -n 'Enabling pf' $pf_program -F all > /dev/null 2>&1 - $pf_program -f "$pf_rules" $pf_flags + $pf_program -f "$pf_rules" $pf_flags || pf_fallback if ! $pf_program -s info | grep -q "Enabled" ; then $pf_program -eq fi diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5 index 5692228c4db5..57404b8c0e89 100644 --- a/share/man/man5/rc.conf.5 +++ b/share/man/man5/rc.conf.5 @@ -24,7 +24,7 @@ .\" .\" $FreeBSD$ .\" -.Dd July 1, 2021 +.Dd July 8, 2021 .Dt RC.CONF 5 .Os .Sh NAME @@ -996,6 +996,42 @@ is set to these flags are passed to the .Xr pfctl 8 program when loading the ruleset. +.It Va pf_fallback_rules_enable +.Pq Vt bool +Set to +.Dq Li NO +by default. +Setting this to +.Dq Li YES +enables loading +.Va pf_fallback_rules_file +or +.Va pf_fallback_rules +in case of a problem when loading the ruleset in +.Va pf_rules . +.It Va pf_fallback_rules_file +.Pq Vt str +Path to a pf ruleset to load in case of failure when loading the +ruleset in +.Va pf_rules +(default +.Pa /etc/pf-fallback.conf ) . +.It Va pf_fallback_rules +.Pq Vt str +A pf ruleset to load in case of failure when loading the ruleset in +.Va pf_rules +and +.Va pf_fallback_rules_file +is not found. +Multiple rules can be set as follows: +.Bd -literal +pf_fallback_rules="\\ + block drop log all\\ + pass in quick on em0" +.Pp +.Ed +The default fallback rule is +.Dq block drop log all .It Va pflog_enable .Pq Vt bool Set to
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202107081423.168ENGr6019475>