D39866.id127628.diff
No OneTemporary
Actions

Size

1 KB

Referenced Files

None

Subscribers

None

D39866.id127628.diff
View Options

	diff --git a/share/man/man4/pf.4 b/share/man/man4/pf.4
	--- a/share/man/man4/pf.4
	+++ b/share/man/man4/pf.4
	@@ -87,6 +87,10 @@
	Size of hash table that store source nodes.
	Should be power of 2.
	Default value is 32768.
	+.It Va net.pf.default_to_drop
	+This value overrides
	+.Cd "options PF_DEFAULT_TO_DROP"
	+from kernel configuration file.
	.El
	.Pp
	Read only
	diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
	--- a/sys/netpfil/pf/pf_ioctl.c
	+++ b/sys/netpfil/pf/pf_ioctl.c
	@@ -199,6 +199,16 @@
	&VNET_NAME(pf_filter_local), false,
	"Enable filtering for packets delivered to local network stack");

	+#ifdef PF_DEFAULT_TO_DROP
	+VNET_DEFINE_STATIC(bool, default_to_drop) = true;
	+#else
	+VNET_DEFINE_STATIC(bool, default_to_drop);
	+#endif
	+#define V_default_to_drop VNET(default_to_drop)
	+SYSCTL_BOOL(_net_pf, OID_AUTO, default_to_drop, CTLFLAG_RDTUN \| CTLFLAG_VNET,
	+ &VNET_NAME(default_to_drop), false,
	+ "Make the default rule drop all packets.");
	+
	static void pf_init_tagset(struct pf_tagset , unsigned int ,
	unsigned int);
	static void pf_cleanup_tagset(struct pf_tagset *);
	@@ -335,11 +345,7 @@

	/* default rule should never be garbage collected */
	V_pf_default_rule.entries.tqe_prev = &V_pf_default_rule.entries.tqe_next;
	-#ifdef PF_DEFAULT_TO_DROP
	- V_pf_default_rule.action = PF_DROP;
	-#else
	- V_pf_default_rule.action = PF_PASS;
	-#endif
	+ V_pf_default_rule.action = V_default_to_drop ? PF_DROP : PF_PASS;
	V_pf_default_rule.nr = -1;
	V_pf_default_rule.rtableid = -1;