From nobody Mon Dec 8 16:15:26 2025 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dQ6XH1yP5z6K28j for ; Mon, 08 Dec 2025 16:15:27 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dQ6XH0Kvxz3GQN for ; Mon, 08 Dec 2025 16:15:27 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1765210527; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=2z8JUrfdCpQiEHQ+TregmugBF5FFYGJpYnDj4QbU25w=; b=yzqy+NaXUCuv1ArrNm/eYcGYxttqALf3iyNuXRmPcvhB25Jcyum5irg8Y5NNQVIq3H6OAP Iys13NnYT4OzFkezPG8xvNWU8lN15shd1SxhI9u9+ShGbQvSa0cll/uvs+mZPg3UyvR7M2 +up5kJ6rpjTQT4h1GQTX6BmkwKTXMBZkKPpHhw7n+/1adPTBz6M54xMK8uqmgOfZz3I3bc ryk/Ca+9OqZx/ERfHvoAzdcor6ugSpHVLWBthyu+Y8tder5fW0sl5oUT8rGXNQ6vy7GxbS 855HF3sAQfn0ebd8pCvJNiJnK7StYHSbS8EcBnwAjSYYg08V7fevP2kE5wEBag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1765210527; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=2z8JUrfdCpQiEHQ+TregmugBF5FFYGJpYnDj4QbU25w=; b=bEa9lmHBAz80D/PsivdJ8+MXQvqL5jEipFSChibIwvyDq84JUIYSyin2wBvN8fUM2i3Lk5 qo/p6UQltnTk+IUK5Yg8OxpByk1ILTjedLhdlGCETryT+2MSnb+dwt3Zr0ce7s22CEJGzp RdCFuQIsN2ioHlVGXYHKVaWyQVYX4IIHQd0TrbUAFrbd+7V8AD54O+FnC06KNnEdIA+dNr c5jTfSOGJC1hSUQpWdpu/PlIzmOn70gYdXmCp80X7NWae4Aix/hJmfzFCbv1EzFYGgPaWj 46oQ08RPHEhgz7w9f4DMq1oy2af/xbth80zjq7PNtYYx1DBreTyrROIZCtqMVQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1765210527; a=rsa-sha256; cv=none; b=rX0PbNCx+6Y4k5InJ7EIo7mbtFbX8IKk+I5jtSrOaVAPq59yNLdkkVXTPDmR29gqEzUCeW /tnJQ/YWt0fF4iedvUYMszhTgEO2yHqoBgAW2dhhHjhwsj4LWkOU2LgIJ9ygBGBOLq+2Bn SM+oaOcUR3cTEVd6kKcDfu1cewtw2igrOYMll14H8sTKqnYaalXvPDSbnuJ7cgqWDb2ajZ U1ypK3gQvl1xvHNO6+xIm6owINuctewBuThvmVNEVEConKMaW4a9/q6GJdjsqxDwJiGkYS uDeltz0S6UjElZr+N5x9LkPON+rx54Bjo0Gck0HvBPTYiR+v6MbJ/vg6N9Z8cw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4dQ6XG6hTWz4NP for ; Mon, 08 Dec 2025 16:15:26 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3bf1f by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Mon, 08 Dec 2025 16:15:26 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Cy Schubert Subject: git: 0ff0c19e7f70 - main - ipfilter: Disable ipfs(8) by default List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: cy X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 0ff0c19e7f70bc4d3f98196a8ad43de635cf13e5 Auto-Submitted: auto-generated Date: Mon, 08 Dec 2025 16:15:26 +0000 Message-Id: <6936f99e.3bf1f.51b4da29@gitrepo.freebsd.org> The branch main has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=0ff0c19e7f70bc4d3f98196a8ad43de635cf13e5 commit 0ff0c19e7f70bc4d3f98196a8ad43de635cf13e5 Author: Cy Schubert AuthorDate: 2025-11-16 07:39:19 +0000 Commit: Cy Schubert CommitDate: 2025-12-08 16:15:18 +0000 ipfilter: Disable ipfs(8) by default At the moment ipfs(8) is a tool that can be easily abused. Though the concept is sound the implementation needs some work. ipfs(8) should be considered experimental at the moment. This commit also makes ipfs support in the kernel optional. Reviewed by: emaste, glebius MFC after: 1 week Differential revision: https://reviews.freebsd.org/D53787 --- sbin/ipf/Makefile | 7 ++++++- share/mk/src.opts.mk | 1 + sys/conf/NOTES | 1 + sys/conf/options | 1 + sys/modules/ipfilter/Makefile | 7 +++++++ sys/netpfil/ipfilter/netinet/ip_nat.c | 5 ++++- sys/netpfil/ipfilter/netinet/ip_state.c | 4 ++++ tools/build/mk/OptionalObsoleteFiles.inc | 4 ++++ 8 files changed, 28 insertions(+), 2 deletions(-) diff --git a/sbin/ipf/Makefile b/sbin/ipf/Makefile index 1b0a18d3d9c3..b64b09584b48 100644 --- a/sbin/ipf/Makefile +++ b/sbin/ipf/Makefile @@ -1,5 +1,10 @@ +.include + SUBDIR= libipf .WAIT -SUBDIR+= ipf ipfs ipfstat ipmon ipnat ippool +SUBDIR+= ipf ipfstat ipmon ipnat ippool +.if ${MK_IPFILTER_IPFS} != "no" +SUBDIR+= ipfs +.endif # XXX Temporarily disconnected. # SUBDIR+= ipftest ipresend ipsend SUBDIR_PARALLEL= diff --git a/share/mk/src.opts.mk b/share/mk/src.opts.mk index e10455cd4e82..4109edc90f2f 100644 --- a/share/mk/src.opts.mk +++ b/share/mk/src.opts.mk @@ -209,6 +209,7 @@ __DEFAULT_NO_OPTIONS = \ DTRACE_TESTS \ EXPERIMENTAL \ HESIOD \ + IPFILTER_IPFS \ LOADER_VERBOSE \ LOADER_VERIEXEC_PASS_MANIFEST \ LLVM_FULL_DEBUGINFO \ diff --git a/sys/conf/NOTES b/sys/conf/NOTES index 2ba211fa45c9..8d413fb4f583 100644 --- a/sys/conf/NOTES +++ b/sys/conf/NOTES @@ -1046,6 +1046,7 @@ options IPFILTER #ipfilter support options IPFILTER_LOG #ipfilter logging options IPFILTER_LOOKUP #ipfilter pools options IPFILTER_DEFAULT_BLOCK #block all packets by default +options IPFILTER_IPFS #enable experimental ipfs(8) support options IPSTEALTH #support for stealth forwarding options PF_DEFAULT_TO_DROP #drop everything by default options TCP_BLACKBOX diff --git a/sys/conf/options b/sys/conf/options index 2437c2c6908a..c86560491faf 100644 --- a/sys/conf/options +++ b/sys/conf/options @@ -449,6 +449,7 @@ IPFILTER opt_ipfilter.h IPFILTER_DEFAULT_BLOCK opt_ipfilter.h IPFILTER_LOG opt_ipfilter.h IPFILTER_LOOKUP opt_ipfilter.h +IPFILTER_IPFS opt_ipfilter.h IPFIREWALL opt_ipfw.h IPFIREWALL_DEFAULT_TO_ACCEPT opt_ipfw.h IPFIREWALL_NAT opt_ipfw.h diff --git a/sys/modules/ipfilter/Makefile b/sys/modules/ipfilter/Makefile index 6c5fc140f36c..969df7dfad84 100644 --- a/sys/modules/ipfilter/Makefile +++ b/sys/modules/ipfilter/Makefile @@ -1,3 +1,5 @@ +.include + .PATH: ${SRCTOP}/sys/netpfil/ipfilter/netinet KMOD= ipl @@ -9,6 +11,11 @@ SRCS+= opt_bpf.h opt_inet6.h opt_kern_tls.h CFLAGS+= -I${SRCTOP}/sys/netpfil/ipfilter CFLAGS+= -DIPFILTER=1 -DIPFILTER_LKM -DIPFILTER_LOG -DIPFILTER_LOOKUP + +.if ${MK_IPFILTER_IPFS} != "no" +CFLAGS+= -DIPFILTER_IPFS +.endif + # # If you don't want log functionality remove -DIPFILTER_LOG # diff --git a/sys/netpfil/ipfilter/netinet/ip_nat.c b/sys/netpfil/ipfilter/netinet/ip_nat.c index b8602db91820..bf091e3b0e12 100644 --- a/sys/netpfil/ipfilter/netinet/ip_nat.c +++ b/sys/netpfil/ipfilter/netinet/ip_nat.c @@ -1337,6 +1337,7 @@ ipf_nat_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd, error = ipf_proxy_ioctl(softc, data, cmd, mode, ctx); break; +#ifdef IPFILTER_IPFS case SIOCSTLCK : if (!(mode & FWRITE)) { IPFERROR(60015); @@ -1372,6 +1373,7 @@ ipf_nat_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd, error = EACCES; } break; +#endif /* IPFILTER_IPFS */ case SIOCGENITER : { @@ -1679,7 +1681,7 @@ ipf_nat_siocdelnat(ipf_main_softc_t *softc, ipf_nat_softc_t *softn, ipnat_t *n, } } - +#ifdef IPFILTER_IPFS /* ------------------------------------------------------------------------ */ /* Function: ipf_nat_getsz */ /* Returns: int - 0 == success, != 0 is the error value. */ @@ -2247,6 +2249,7 @@ junkput: } return (error); } +#endif /* IPFILTER_IPFS */ /* ------------------------------------------------------------------------ */ diff --git a/sys/netpfil/ipfilter/netinet/ip_state.c b/sys/netpfil/ipfilter/netinet/ip_state.c index 36fdf23cd062..8a21e7593995 100644 --- a/sys/netpfil/ipfilter/netinet/ip_state.c +++ b/sys/netpfil/ipfilter/netinet/ip_state.c @@ -709,6 +709,7 @@ ipf_state_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd, IPFOBJ_STATESTAT); break; +#ifdef IPFILTER_IPFS /* * Lock/Unlock the state table. (Locking prevents any changes, which * means no packets match). @@ -745,6 +746,7 @@ ipf_state_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd, } error = ipf_state_getent(softc, softs, data); break; +#endif /* IPFILTER_IPFS */ case SIOCGENITER : { @@ -801,6 +803,7 @@ ipf_state_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd, } +#ifdef IPFILTER_IPFS /* ------------------------------------------------------------------------ */ /* Function: ipf_state_getent */ /* Returns: int - 0 == success, != 0 == failure */ @@ -1005,6 +1008,7 @@ ipf_state_putent(ipf_main_softc_t *softc, ipf_state_softc_t *softs, return (error); } +#endif /* IPFILTER_IPFS */ /* ------------------------------------------------------------------------ */ diff --git a/tools/build/mk/OptionalObsoleteFiles.inc b/tools/build/mk/OptionalObsoleteFiles.inc index 7cf742616e63..e0bc47492f7d 100644 --- a/tools/build/mk/OptionalObsoleteFiles.inc +++ b/tools/build/mk/OptionalObsoleteFiles.inc @@ -2627,6 +2627,10 @@ OLD_FILES+=usr/share/man/man8/ipnat.8.gz OLD_FILES+=usr/share/man/man8/ippool.8.gz .endif +.if ${MK_IPFILTER_IPFS} == no +OLD_FILES+=sbin/ipfs +.endif + .if ${MK_IPFW} == no OLD_FILES+=etc/rc.d/ipfw OLD_FILES+=etc/rc.d/natd