diff options
| author | Zhenlei Huang <zlei@FreeBSD.org> | 2023-09-22 10:05:02 +0000 |
|---|---|---|
| committer | Zhenlei Huang <zlei@FreeBSD.org> | 2025-01-24 15:46:20 +0000 |
| commit | 3965be101c434437ce8819250e9e6b3e5c3d702e (patch) | |
| tree | ba9273a469cce8eb448b0d4d2db2532f2ec60bc1 | |
| parent | d67b1748ea34ad6f66072694fd8b623ab0ea72b1 (diff) | |
pf: Convert PF_DEFAULT_TO_DROP into a vnet loader tunable 'net.pf.default_to_drop'
7f7ef494f11d introduced a compile time option PF_DEFAULT_TO_DROP to make
the pf(4) default rule to drop. While this change exposes a vnet loader
tunable 'net.pf.default_to_drop' so that users can change the default
rule without re-compiling the pf(4) module.
This change is similiar to that for IPFW [1].
1. 5f17ebf94db5 Convert IPFW_DEFAULT_TO_ACCEPT into a loader tunable 'net.inet.ip.fw.default_to_accept'
Reviewed by: #network, kp
MFC after: 2 weeks
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D39866
(cherry picked from commit c531c1d1462c45f7ce5de4f9913226801f3073bd)
| -rw-r--r-- | share/man/man4/pf.4 | 4 | ||||
| -rw-r--r-- | sys/netpfil/pf/pf_ioctl.c | 16 |
2 files changed, 15 insertions, 5 deletions
diff --git a/share/man/man4/pf.4 b/share/man/man4/pf.4 index 4938e719b17e..cd87b98ea45d 100644 --- a/share/man/man4/pf.4 +++ b/share/man/man4/pf.4 @@ -87,6 +87,10 @@ Default value is 131072. Size of hash table that store source nodes. Should be power of 2. Default value is 32768. +.It Va net.pf.default_to_drop +This value overrides +.Cd "options PF_DEFAULT_TO_DROP" +from kernel configuration file. .It Va net.pf.rdr_srcport_rewrite_tries The maximum number of times to try and find a free source port when handling redirects. diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index 6cb7bc95df2b..e67a0ddadfb7 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -199,6 +199,16 @@ SYSCTL_BOOL(_net_pf, OID_AUTO, filter_local, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(pf_filter_local), false, "Enable filtering for packets delivered to local network stack"); +#ifdef PF_DEFAULT_TO_DROP +VNET_DEFINE_STATIC(bool, default_to_drop) = true; +#else +VNET_DEFINE_STATIC(bool, default_to_drop); +#endif +#define V_default_to_drop VNET(default_to_drop) +SYSCTL_BOOL(_net_pf, OID_AUTO, default_to_drop, CTLFLAG_RDTUN | CTLFLAG_VNET, + &VNET_NAME(default_to_drop), false, + "Make the default rule drop all packets."); + static void pf_init_tagset(struct pf_tagset *, unsigned int *, unsigned int); static void pf_cleanup_tagset(struct pf_tagset *); @@ -335,11 +345,7 @@ pfattach_vnet(void) /* default rule should never be garbage collected */ V_pf_default_rule.entries.tqe_prev = &V_pf_default_rule.entries.tqe_next; -#ifdef PF_DEFAULT_TO_DROP - V_pf_default_rule.action = PF_DROP; -#else - V_pf_default_rule.action = PF_PASS; -#endif + V_pf_default_rule.action = V_default_to_drop ? PF_DROP : PF_PASS; V_pf_default_rule.nr = -1; V_pf_default_rule.rtableid = -1; |