Provide kernel compile time option to make pf(4) default rule to drop.

This is important to secure a small timeframe at boot time, when network is already configured, but pf(4) is not yet. PR: kern/171622 Submitted by: Olivier Cochard-LabbИ <olivier cochard.me>
2012-09-18 11:07:19 +00:00 · 2012-09-18 11:07:19 +00:00 · df8f633169
commit df8f633169
parent c3ead4d7df
4 changed files with 19 additions and 1 deletions
--- a/share/man/man4/pf.4
+++ b/share/man/man4/pf.4
@ -28,7 +28,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd June 29 2012
+.Dd September 18 2012
 .Dt PF 4
 .Os
 .Sh NAME
@ -36,6 +36,7 @@
 .Nd packet filter
 .Sh SYNOPSIS
 .Cd "device pf"
+.Cd "options PF_DEFAULT_TO_DROP"
 .Sh DESCRIPTION
 Packet filtering takes place in the kernel.
 A pseudo-device,
@ -94,6 +95,15 @@ Read only
 .Xr sysctl 8
 variables with matching names are provided to obtain current values
 at runtime.
+.Sh KERNEL OPTIONS
+The following options in the kernel configuration file are related to
+.Nm
+operation:
+.Pp
+.Bl -tag -width ".Dv PF_DEFAULT_TO_DROP" -compact
+.It Dv PF_DEFAULT_TO_DROP
+Change default policy to drop by default
+.El
 .Sh IOCTL INTERFACE
 .Nm
 supports the following
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@ -918,6 +918,8 @@ device		lagg
 # packets without touching the TTL).  This can be useful to hide firewalls
 # from traceroute and similar tools.
 #
+# PF_DEFAULT_TO_DROP causes the default pf(4) rule to deny everything.
+#
 # TCPDEBUG enables code which keeps traces of the TCP state machine
 # for sockets with the SO_DEBUG option set, which can then be examined
 # using the trpt(8) utility.
@ -937,6 +939,7 @@ options 	IPFILTER_LOG		#ipfilter logging
 options 	IPFILTER_LOOKUP		#ipfilter pools
 options 	IPFILTER_DEFAULT_BLOCK	#block all packets by default
 options 	IPSTEALTH		#support for stealth forwarding
+options 	PF_DEFAULT_TO_DROP	#drop everything by default
 options 	TCPDEBUG
 options 	RADIX_MPATH

--- a/sys/conf/options
+++ b/sys/conf/options
@ -430,6 +430,7 @@ NCP
 NETATALK		opt_atalk.h
 NFSLOCKD
 PCBGROUP		opt_pcbgroup.h
+PF_DEFAULT_TO_DROP	opt_pf.h
 RADIX_MPATH		opt_mpath.h
 ROUTETABLES		opt_route.h
 SLIP_IFF_OPTS		opt_slip.h
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@ -216,7 +216,11 @@ pfattach(void)

 	/* default rule should never be garbage collected */
 	V_pf_default_rule.entries.tqe_prev = &V_pf_default_rule.entries.tqe_next;
+#ifdef PF_DEFAULT_TO_DROP
+	V_pf_default_rule.action = PF_DROP;
+#else
 	V_pf_default_rule.action = PF_PASS;
+#endif
 	V_pf_default_rule.nr = -1;
 	V_pf_default_rule.rtableid = -1;