Page MenuHomeFreeBSD
Differential D30791

pf: fallback if $pf_rules fails to load
ClosedPublic
Actions

Authored by kp on Jun 16 2021, 8:39 PM.
Tags
None
Referenced Files
Unknown Object (File)
Oct 3 2024, 10:13 PM
Unknown Object (File)
Oct 2 2024, 5:17 AM
Unknown Object (File)
Sep 25 2024, 7:22 AM
Unknown Object (File)
Sep 25 2024, 5:26 AM
Unknown Object (File)
Sep 23 2024, 4:59 PM
Unknown Object (File)
Sep 22 2024, 6:55 AM
Unknown Object (File)
Sep 21 2024, 7:36 PM
Unknown Object (File)
Sep 17 2024, 5:27 AM
View All 58 Files
Subscribers
bcr
donner
imp

Details

Reviewers
donner
Group Reviewers
network
manpages
Commits
rGfae2a8cad398: pf: fallback if $pf_rules fails to load
rG28f47a199cfd: pf: fallback if $pf_rules fails to load
Summary

Support loading a default pf ruleset in case of invalid pf.conf.

If no pf rules are loaded pf will pass/allow all traffic, assuming the
kernel is compiled without PF_DEFAULT_TO_DROP, as is the case in
GENERIC.

In other words: if there's a typo in the main pf_rules we would allow
all traffic. The new default rules minimise the impact of this.

If $pf_program (i.e. pfctl) fails to set $pf_fules and
$pf_default_rules_enable is YES we will load $pf_default_rules_file if
set, or $pf_default_rules.

$pf_default_rules can include multiple rules, for example to permit
traffic on a management interface. Seperate multiple rules with \n:

$ sudo sysrc pf_default_rules
pf_default_rules: block drop log all\npass quick on em0
$

pf_default_rules_enable defaults to "NO", preserving historic behaviour.

man page changes by ceri@.

PR: 256410
Sponsored by: semaphor.dk

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 39977
Build 36866: arc lint + arc unit

Event Timeline

kp created this revision.Jun 16 2021, 8:39 PM
Herald added a reviewer: manpages. · View Herald TranscriptJun 16 2021, 8:39 PM
Herald added a subscriber: imp. · View Herald Transcript
kp requested review of this revision.Jun 16 2021, 8:39 PM
Harbormaster completed remote builds in B39936: Diff 90976.Jun 16 2021, 8:39 PM
donner added a subscriber: donner.Jun 16 2021, 9:26 PM
donner added inline comments.
libexec/rc/rc.d/pf
39

I feel bad with echo -e in order to generate multiple lines.
You may have a look at if_aliases. Why not simply

pf_fallback_rules="
  block drop lock all
  pass quick on em0
"
47

The common idiom is
$pf_program -f "$pg_rules" $pf_flags || pf_fallback

bcr accepted this revision as: manpages.Jun 17 2021, 7:17 AM
bcr added a subscriber: bcr.

Manpage looks good.

kp updated this revision to Diff 91060.Jun 18 2021, 3:58 PM
  • fix remarks

Thanks, those are all improvements.

Harbormaster completed remote builds in B39977: Diff 91060.Jun 18 2021, 3:58 PM
donner accepted this revision.Jun 18 2021, 7:07 PM
This revision is now accepted and ready to land.Jun 18 2021, 7:07 PM
Closed by commit rG28f47a199cfd: pf: fallback if $pf_rules fails to load (authored by thomas_gibfest.dk, committed by kp). · Explain WhyJul 8 2021, 2:23 PM
This revision was automatically updated to reflect the committed changes.
kp added a commit: rG28f47a199cfd: pf: fallback if $pf_rules fails to load.
kp added a commit: rGfae2a8cad398: pf: fallback if $pf_rules fails to load.Jan 24 2022, 10:55 PM

Revision Contents
Changeset List

PathSize
libexec/
rc/
5 lines
rc.d/
19 lines
share/
man/
man5/
38 lines

Diff 91060

View Options

libexec/rc/rc.conf

Loading...
View Options

libexec/rc/rc.d/pf

Loading...
View Options

share/man/man5/rc.conf.5

Loading...