pf: fallback if $pf_rules fails to load

Support loading a default pf ruleset in case of invalid pf.conf.

If no pf rules are loaded pf will pass/allow all traffic, assuming the
kernel is compiled without PF_DEFAULT_TO_DROP, as is the case in
GENERIC.

In other words: if there's a typo in the main pf_rules we would allow
all traffic. The new default rules minimise the impact of this.

If $pf_program (i.e. pfctl) fails to set $pf_fules and
$pf_fallback_rules_enable is YES we will load $pf_fallback_rules_file if
set, or $pf_fallback_rules.

$pf_fallback_rules can include multiple rules, for example to permit
traffic on a management interface.

$pf_fallback_rules_enable defaults to "NO", preserving historic behaviour.

man page changes by ceri@.

PR:		256410
Reviewed by:	donner, kp
Sponsored by:	semaphor.dk
Differential Revision:	https://reviews.freebsd.org/D30791

3 files changed, 60 insertions, 2 deletions

diff --git a/libexec/rc/rc.conf b/libexec/rc/rc.conf
index 9fdc4d9d8636..b392dae9ae6c 100644
--- a/libexec/rc/rc.conf
+++ b/libexec/rc/rc.conf
@@ -224,6 +224,11 @@ pf_rules="/etc/pf.conf"		# rules definition file for pf (nonexistent
 				# by default)
 pf_program="/sbin/pfctl"	# where the pfctl program lives
 pf_flags=""			# additional flags for pfctl
+pf_fallback_rules_enable="NO"	# fallback if loading ruleset fails
+pf_fallback_rules="block drop log all"	# rules to load on pf ruleset failure
+#pf_fallback_rules="block drop log all
+#pass quick on em4"		# multi-rule
+pf_fallback_rules_file="/etc/pf-fallback.conf"	# rules file on ruleset failure
 pflog_enable="NO"		# Set to YES to enable packet filter logging
 pflog_logfile="/var/log/pflog"	# where pflogd should store the logfile
 pflog_program="/sbin/pflogd"	# where the pflogd program lives
diff --git a/libexec/rc/rc.d/pf b/libexec/rc/rc.d/pf
index 1f7394007667..fa1b49643cc5 100755
--- a/libexec/rc/rc.d/pf
+++ b/libexec/rc/rc.d/pf
@@ -23,11 +23,28 @@ extra_commands="check reload resync"
 required_files="$pf_rules"
 required_modules="pf"
 
+pf_fallback()
+{
+	warn "Unable to load $pf_rules."
+
+	if ! checkyesno pf_fallback_rules_enable; then
+		return
+	fi
+
+	if [ -f $pf_fallback_rules_file ]; then
+		warn "Loading fallback rules file: $pf_fallback_rules_file"
+		$pf_program -f "$pf_fallback_rules_file" $pf_flags
+	else
+		warn "Loading fallback rules: $pf_fallback_rules"
+		echo $pf_fallback_rules | $pf_program -f - $pf_flags
+	fi
+}
+
 pf_start()
 {
 	check_startmsgs && echo -n 'Enabling pf'
 	$pf_program -F all > /dev/null 2>&1
-	$pf_program -f "$pf_rules" $pf_flags
+	$pf_program -f "$pf_rules" $pf_flags || pf_fallback
 	if ! $pf_program -s info | grep -q "Enabled" ; then
 		$pf_program -eq
 	fi
diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5
index 5692228c4db5..57404b8c0e89 100644
--- a/share/man/man5/rc.conf.5
+++ b/share/man/man5/rc.conf.5
@@ -24,7 +24,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd July 1, 2021
+.Dd July 8, 2021
 .Dt RC.CONF 5
 .Os
 .Sh NAME
@@ -996,6 +996,42 @@ is set to
 these flags are passed to the
 .Xr pfctl 8
 program when loading the ruleset.
+.It Va pf_fallback_rules_enable
+.Pq Vt bool
+Set to
+.Dq Li NO
+by default.
+Setting this to
+.Dq Li YES
+enables loading
+.Va pf_fallback_rules_file
+or
+.Va pf_fallback_rules
+in case of a problem when loading the ruleset in
+.Va pf_rules .
+.It Va pf_fallback_rules_file
+.Pq Vt str
+Path to a pf ruleset to load in case of failure when loading the
+ruleset in
+.Va pf_rules
+(default
+.Pa /etc/pf-fallback.conf ) .
+.It Va pf_fallback_rules
+.Pq Vt str
+A pf ruleset to load in case of failure when loading the ruleset in
+.Va pf_rules
+and
+.Va pf_fallback_rules_file
+is not found.
+Multiple rules can be set as follows:
+.Bd -literal
+pf_fallback_rules="\\
+	block drop log all\\
+	pass in quick on em0"
+.Pp
+.Ed
+The default fallback rule is
+.Dq block drop log all
 .It Va pflog_enable
 .Pq Vt bool
 Set to