Page Menu
Home
FreeBSD
Search
Configure Global Search
Log In
Files
F107301900
D30791.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Flag For Later
Award Token
Size
2 KB
Referenced Files
None
Subscribers
None
D30791.diff
View Options
diff --git a/libexec/rc/rc.conf b/libexec/rc/rc.conf
--- a/libexec/rc/rc.conf
+++ b/libexec/rc/rc.conf
@@ -224,6 +224,11 @@
# by default)
pf_program="/sbin/pfctl" # where the pfctl program lives
pf_flags="" # additional flags for pfctl
+pf_fallback_rules_enable="NO" # fallback if loading ruleset fails
+pf_fallback_rules="block drop log all" # rules to load on pf ruleset failure
+#pf_fallback_rules="block drop log all
+#pass quick on em4" # multi-rule
+pf_fallback_rules_file="/etc/pf-fallback.conf" # rules file on ruleset failure
pflog_enable="NO" # Set to YES to enable packet filter logging
pflog_logfile="/var/log/pflog" # where pflogd should store the logfile
pflog_program="/sbin/pflogd" # where the pflogd program lives
diff --git a/libexec/rc/rc.d/pf b/libexec/rc/rc.d/pf
--- a/libexec/rc/rc.d/pf
+++ b/libexec/rc/rc.d/pf
@@ -23,11 +23,28 @@
required_files="$pf_rules"
required_modules="pf"
+pf_fallback()
+{
+ warn "Unable to load $pf_rules."
+
+ if ! checkyesno pf_fallback_rules_enable; then
+ return
+ fi
+
+ if [ -f $pf_fallback_rules_file ]; then
+ warn "Loading fallback rules file: $pf_fallback_rules_file"
+ $pf_program -f "$pf_fallback_rules_file" $pf_flags
+ else
+ warn "Loading fallback rules: $pf_fallback_rules"
+ echo $pf_fallback_rules | $pf_program -f - $pf_flags
+ fi
+}
+
pf_start()
{
check_startmsgs && echo -n 'Enabling pf'
$pf_program -F all > /dev/null 2>&1
- $pf_program -f "$pf_rules" $pf_flags
+ $pf_program -f "$pf_rules" $pf_flags || pf_fallback
if ! $pf_program -s info | grep -q "Enabled" ; then
$pf_program -eq
fi
diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5
--- a/share/man/man5/rc.conf.5
+++ b/share/man/man5/rc.conf.5
@@ -24,7 +24,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd July 1, 2021
+.Dd July 8, 2021
.Dt RC.CONF 5
.Os
.Sh NAME
@@ -996,6 +996,42 @@
these flags are passed to the
.Xr pfctl 8
program when loading the ruleset.
+.It Va pf_fallback_rules_enable
+.Pq Vt bool
+Set to
+.Dq Li NO
+by default.
+Setting this to
+.Dq Li YES
+enables loading
+.Va pf_fallback_rules_file
+or
+.Va pf_fallback_rules
+in case of a problem when loading the ruleset in
+.Va pf_rules .
+.It Va pf_fallback_rules_file
+.Pq Vt str
+Path to a pf ruleset to load in case of failure when loading the
+ruleset in
+.Va pf_rules
+(default
+.Pa /etc/pf-fallback.conf ) .
+.It Va pf_fallback_rules
+.Pq Vt str
+A pf ruleset to load in case of failure when loading the ruleset in
+.Va pf_rules
+and
+.Va pf_fallback_rules_file
+is not found.
+Multiple rules can be set as follows:
+.Bd -literal
+pf_fallback_rules="\\
+ block drop log all\\
+ pass in quick on em0"
+.Pp
+.Ed
+The default fallback rule is
+.Dq block drop log all
.It Va pflog_enable
.Pq Vt bool
Set to
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Mon, Jan 13, 5:43 AM (20 h, 3 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
15777091
Default Alt Text
D30791.diff (2 KB)
Attached To
Mode
D30791: pf: fallback if $pf_rules fails to load
Attached
Detach File
Event Timeline
Log In to Comment