From nobody@FreeBSD.org  Thu Sep 13 20:40:04 2012
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 148E3106566B
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 13 Sep 2012 20:40:04 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id D618C8FC08
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 13 Sep 2012 20:40:03 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.5/8.14.5) with ESMTP id q8DKe3tP058300
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 13 Sep 2012 20:40:03 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.5/8.14.5/Submit) id q8DKe351058299;
	Thu, 13 Sep 2012 20:40:03 GMT
	(envelope-from nobody)
Message-Id: <201209132040.q8DKe351058299@red.freebsd.org>
Date: Thu, 13 Sep 2012 20:40:03 GMT
From: Olivier Cochard-Labb <olivier@cochard.me>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Patch that add "options PF_DEFAULT_TO_DROP" to kernel configuration file
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         171622
>Category:       kern
>Synopsis:       Patch that add "options PF_DEFAULT_TO_DROP" to kernel configuration file
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    glebius
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Thu Sep 13 20:50:01 UTC 2012
>Closed-Date:    Wed Jan 22 09:25:08 UTC 2014
>Last-Modified:  Wed Jan 22 09:25:08 UTC 2014
>Originator:     Olivier Cochard-Labb
>Release:        9.1-RC1
>Organization:
BSD Router Project
>Environment:
FreeBSD R1 9.1-RC1 FreeBSD 9.1-RC1 #0 r240390M: Thu Sep 13 12:50:12 CEST 2012     root@orange.bsdrp.net:/usr/obj/BSDRP.amd64/usr/local/BSDRP/FreeBSD/src/sys/amd64  amd64
>Description:
Here is a little patch (tested on FreeBSD 9.1-RC1) that add a new option to the kernel configuration file:
options PF_DEFAULT_TO_DROP

Without this option, with an empty pf.conf:All traffic are permit.
With this option enabled, with an empty pf.conf: All traffic are dropped by default.
>How-To-Repeat:

>Fix:


Patch attached with submission follows:

--- sys/contrib/pf/net/pf_ioctl.c.orig	2012-09-06 15:47:47.000000000 +0200
+++ sys/contrib/pf/net/pf_ioctl.c	2012-09-06 15:56:16.000000000 +0200
@@ -386,7 +386,11 @@
 
 	/* default rule should never be garbage collected */
 	V_pf_default_rule.entries.tqe_prev = &V_pf_default_rule.entries.tqe_next;
+	#ifdef PF_DEFAULT_TO_DROP
+    V_pf_default_rule.action = PF_DROP;
+    #else
 	V_pf_default_rule.action = PF_PASS;
+	#endif
 	V_pf_default_rule.nr = -1;
 	V_pf_default_rule.rtableid = -1;
 
@@ -473,7 +477,11 @@
 
 	/* default rule should never be garbage collected */
 	pf_default_rule.entries.tqe_prev = &pf_default_rule.entries.tqe_next;
+	#ifdef PF_DEFAULT_TO_DROP
+	pf_default_rule.action = PF_DROP;
+	#else
 	pf_default_rule.action = PF_PASS;
+	#endif
 	pf_default_rule.nr = -1;
 	pf_default_rule.rtableid = -1;
 
--- sys/conf/options.orig	2012-09-06 15:59:40.000000000 +0200
+++ sys/conf/options	2012-09-06 16:00:59.000000000 +0200
@@ -426,6 +426,7 @@
 NETATALK		opt_atalk.h
 NFSLOCKD
 PCBGROUP		opt_pcbgroup.h
+PF_DEFAULT_TO_DROP	opt_pf.h
 RADIX_MPATH		opt_mpath.h
 ROUTETABLES		opt_route.h
 SLIP_IFF_OPTS		opt_slip.h
--- sys/conf/NOTES.orig	2012-09-06 16:58:11.000000000 +0200
+++ sys/conf/NOTES	2012-09-06 16:14:47.000000000 +0200
@@ -916,6 +916,8 @@
 # packets without touching the TTL).  This can be useful to hide firewalls
 # from traceroute and similar tools.
 #
+# PF_DEFAULT_TO_DROP causes the default rule (at boot) to deny everything.
+# 
 # TCPDEBUG enables code which keeps traces of the TCP state machine
 # for sockets with the SO_DEBUG option set, which can then be examined
 # using the trpt(8) utility.
@@ -933,6 +935,7 @@
 options 	IPFILTER_LOOKUP		#ipfilter pools
 options 	IPFILTER_DEFAULT_BLOCK	#block all packets by default
 options 	IPSTEALTH		#support for stealth forwarding
+options		PF_DEFAULT_TO_DROP		#drop everything by default
 options 	TCPDEBUG
 
 # The MBUF_STRESS_TEST option enables options which create


>Release-Note:
>Audit-Trail:

From: =?ISO-8859-1?Q?Olivier_Cochard=2DLabb=E9?= <olivier@cochard.me>
To: bug-followup@freebsd.org
Cc: Gleb Smirnoff <glebius@freebsd.org>
Subject: Re: kern/171622: Patch that add &quot;options PF_DEFAULT_TO_DROP&quot;
 to kernel configuration file
Date: Fri, 14 Sep 2012 16:35:42 +0200

 --f46d044481d7e32fd804c9aa57e7
 Content-Type: text/plain; charset=ISO-8859-1
 
 Here is a new patch adapted to -current and including a man page updated too.
 
 Regards,
 
 Olivier
 
 --f46d044481d7e32fd804c9aa57e7
 Content-Type: text/plain; charset=US-ASCII; name="freebsd.pf_default_drop.diff.txt"
 Content-Disposition: attachment; filename="freebsd.pf_default_drop.diff.txt"
 Content-Transfer-Encoding: base64
 X-Attachment-Id: f_h73dw6k50
 
 SW5kZXg6IHN5cy9jb25mL05PVEVTCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIHN5cy9jb25mL05PVEVTCShyZXZp
 c2lvbiAyNDA0OTcpCisrKyBzeXMvY29uZi9OT1RFUwkod29ya2luZyBjb3B5KQpAQCAtOTE4LDYg
 KzkxOCw4IEBACiAjIHBhY2tldHMgd2l0aG91dCB0b3VjaGluZyB0aGUgVFRMKS4gIFRoaXMgY2Fu
 IGJlIHVzZWZ1bCB0byBoaWRlIGZpcmV3YWxscwogIyBmcm9tIHRyYWNlcm91dGUgYW5kIHNpbWls
 YXIgdG9vbHMuCiAjCisjIFBGX0RFRkFVTFRfVE9fRFJPUCBjYXVzZXMgdGhlIGRlZmF1bHQgcnVs
 ZSB0byBkZW55IGV2ZXJ5dGhpbmcuCisjCiAjIFRDUERFQlVHIGVuYWJsZXMgY29kZSB3aGljaCBr
 ZWVwcyB0cmFjZXMgb2YgdGhlIFRDUCBzdGF0ZSBtYWNoaW5lCiAjIGZvciBzb2NrZXRzIHdpdGgg
 dGhlIFNPX0RFQlVHIG9wdGlvbiBzZXQsIHdoaWNoIGNhbiB0aGVuIGJlIGV4YW1pbmVkCiAjIHVz
 aW5nIHRoZSB0cnB0KDgpIHV0aWxpdHkuCkBAIC05MzgsNiArOTQwLDcgQEAKIG9wdGlvbnMgCUlQ
 RklMVEVSX0RFRkFVTFRfQkxPQ0sJI2Jsb2NrIGFsbCBwYWNrZXRzIGJ5IGRlZmF1bHQKIG9wdGlv
 bnMgCUlQU1RFQUxUSAkJI3N1cHBvcnQgZm9yIHN0ZWFsdGggZm9yd2FyZGluZwogb3B0aW9ucyAJ
 VENQREVCVUcKK29wdGlvbnMJCVBGX0RFRkFVTFRfVE9fRFJPUAkjZHJvcCBldmVyeXRoaW5nIGJ5
 IGRlZmF1bHQKIG9wdGlvbnMgCVJBRElYX01QQVRICiAKICMgVGhlIE1CVUZfU1RSRVNTX1RFU1Qg
 b3B0aW9uIGVuYWJsZXMgb3B0aW9ucyB3aGljaCBjcmVhdGUKSW5kZXg6IHN5cy9jb25mL29wdGlv
 bnMKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
 PT09PT09PT09PT09PQotLS0gc3lzL2NvbmYvb3B0aW9ucwkocmV2aXNpb24gMjQwNDk3KQorKysg
 c3lzL2NvbmYvb3B0aW9ucwkod29ya2luZyBjb3B5KQpAQCAtNDMwLDYgKzQzMCw3IEBACiBORVRB
 VEFMSwkJb3B0X2F0YWxrLmgKIE5GU0xPQ0tECiBQQ0JHUk9VUAkJb3B0X3BjYmdyb3VwLmgKK1BG
 X0RFRkFVTFRfVE9fRFJPUAlvcHRfcGYuaAogUkFESVhfTVBBVEgJCW9wdF9tcGF0aC5oCiBST1VU
 RVRBQkxFUwkJb3B0X3JvdXRlLmgKIFNMSVBfSUZGX09QVFMJCW9wdF9zbGlwLmgKSW5kZXg6IHN5
 cy9uZXRwZmlsL3BmL3BmX2lvY3RsLmMKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gc3lzL25ldHBmaWwvcGYvcGZf
 aW9jdGwuYwkocmV2aXNpb24gMjQwNDk3KQorKysgc3lzL25ldHBmaWwvcGYvcGZfaW9jdGwuYwko
 d29ya2luZyBjb3B5KQpAQCAtMjE2LDcgKzIxNiwxMSBAQAogCiAJLyogZGVmYXVsdCBydWxlIHNo
 b3VsZCBuZXZlciBiZSBnYXJiYWdlIGNvbGxlY3RlZCAqLwogCVZfcGZfZGVmYXVsdF9ydWxlLmVu
 dHJpZXMudHFlX3ByZXYgPSAmVl9wZl9kZWZhdWx0X3J1bGUuZW50cmllcy50cWVfbmV4dDsKKwkj
 aWZkZWYgUEZfREVGQVVMVF9UT19EUk9QCisJVl9wZl9kZWZhdWx0X3J1bGUuYWN0aW9uID0gUEZf
 RFJPUDsKKwkjZWxzZQogCVZfcGZfZGVmYXVsdF9ydWxlLmFjdGlvbiA9IFBGX1BBU1M7CisJI2Vu
 ZGlmCiAJVl9wZl9kZWZhdWx0X3J1bGUubnIgPSAtMTsKIAlWX3BmX2RlZmF1bHRfcnVsZS5ydGFi
 bGVpZCA9IC0xOwogCkluZGV4OiBzaGFyZS9tYW4vbWFuNC9wZi40Cj09PT09PT09PT09PT09PT09
 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIHNo
 YXJlL21hbi9tYW40L3BmLjQJKHJldmlzaW9uIDI0MDQ5NykKKysrIHNoYXJlL21hbi9tYW40L3Bm
 LjQJKHdvcmtpbmcgY29weSkKQEAgLTExNTQsNiArMTE1NCwxNCBAQAogCXJldHVybiAwOwogfQog
 LkVkCisuU3MgS2VybmVsIE9wdGlvbnMKK1RoZSBmb2xsb3dpbmcgb3B0aW9ucyBpbiB0aGUga2Vy
 bmVsIGNvbmZpZ3VyYXRpb24gZmlsZSBhcmUgcmVsYXRlZCB0bworLk5tCitvcGVyYXRpb246Cisu
 UHAKKy5CbCAtdGFnIC13aWR0aCAiLkR2IFBGX0RFRkFVTFRfVE9fRFJPUCIgLWNvbXBhY3QKKy5J
 dCBEdiBQRl9ERUZBVUxUX1RPX0RST1AKK0NoYW5nZSBkZWZhdWx0IHBvbGljeSB0byBkcm9wIGJ5
 IGRlZmF1bHQKIC5TaCBTRUUgQUxTTwogLlhyIGlvY3RsIDIgLAogLlhyIGFsdHEgNCAsCg==
 --f46d044481d7e32fd804c9aa57e7--
State-Changed-From-To: open->patched 
State-Changed-By: glebius 
State-Changed-When: Tue Sep 18 11:05:12 UTC 2012 
State-Changed-Why:  
Done in head/. 


Responsible-Changed-From-To: freebsd-bugs->glebius 
Responsible-Changed-By: glebius 
Responsible-Changed-When: Tue Sep 18 11:05:12 UTC 2012 
Responsible-Changed-Why:  
Done in head/. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=171622 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/171622: commit references a PR
Date: Tue, 18 Sep 2012 11:07:35 +0000 (UTC)

 Author: glebius
 Date: Tue Sep 18 11:07:19 2012
 New Revision: 240642
 URL: http://svn.freebsd.org/changeset/base/240642
 
 Log:
   Provide kernel compile time option to make pf(4) default rule to drop.
   
   This is important to secure a small timeframe at boot time, when
   network is already configured, but pf(4) is not yet.
   
   PR:		kern/171622
   Submitted by:	Olivier Cochard-LabbИ <olivier cochard.me>
 
 Modified:
   head/share/man/man4/pf.4
   head/sys/conf/NOTES
   head/sys/conf/options
   head/sys/netpfil/pf/pf_ioctl.c
 
 Modified: head/share/man/man4/pf.4
 ==============================================================================
 --- head/share/man/man4/pf.4	Tue Sep 18 10:54:56 2012	(r240641)
 +++ head/share/man/man4/pf.4	Tue Sep 18 11:07:19 2012	(r240642)
 @@ -28,7 +28,7 @@
  .\"
  .\" $FreeBSD$
  .\"
 -.Dd June 29 2012
 +.Dd September 18 2012
  .Dt PF 4
  .Os
  .Sh NAME
 @@ -36,6 +36,7 @@
  .Nd packet filter
  .Sh SYNOPSIS
  .Cd "device pf"
 +.Cd "options PF_DEFAULT_TO_DROP"
  .Sh DESCRIPTION
  Packet filtering takes place in the kernel.
  A pseudo-device,
 @@ -94,6 +95,15 @@ Read only
  .Xr sysctl 8
  variables with matching names are provided to obtain current values
  at runtime.
 +.Sh KERNEL OPTIONS
 +The following options in the kernel configuration file are related to
 +.Nm
 +operation:
 +.Pp
 +.Bl -tag -width ".Dv PF_DEFAULT_TO_DROP" -compact
 +.It Dv PF_DEFAULT_TO_DROP
 +Change default policy to drop by default
 +.El
  .Sh IOCTL INTERFACE
  .Nm
  supports the following
 
 Modified: head/sys/conf/NOTES
 ==============================================================================
 --- head/sys/conf/NOTES	Tue Sep 18 10:54:56 2012	(r240641)
 +++ head/sys/conf/NOTES	Tue Sep 18 11:07:19 2012	(r240642)
 @@ -918,6 +918,8 @@ device		lagg
  # packets without touching the TTL).  This can be useful to hide firewalls
  # from traceroute and similar tools.
  #
 +# PF_DEFAULT_TO_DROP causes the default pf(4) rule to deny everything.
 +#
  # TCPDEBUG enables code which keeps traces of the TCP state machine
  # for sockets with the SO_DEBUG option set, which can then be examined
  # using the trpt(8) utility.
 @@ -937,6 +939,7 @@ options 	IPFILTER_LOG		#ipfilter logging
  options 	IPFILTER_LOOKUP		#ipfilter pools
  options 	IPFILTER_DEFAULT_BLOCK	#block all packets by default
  options 	IPSTEALTH		#support for stealth forwarding
 +options 	PF_DEFAULT_TO_DROP	#drop everything by default
  options 	TCPDEBUG
  options 	RADIX_MPATH
  
 
 Modified: head/sys/conf/options
 ==============================================================================
 --- head/sys/conf/options	Tue Sep 18 10:54:56 2012	(r240641)
 +++ head/sys/conf/options	Tue Sep 18 11:07:19 2012	(r240642)
 @@ -430,6 +430,7 @@ NCP
  NETATALK		opt_atalk.h
  NFSLOCKD
  PCBGROUP		opt_pcbgroup.h
 +PF_DEFAULT_TO_DROP	opt_pf.h
  RADIX_MPATH		opt_mpath.h
  ROUTETABLES		opt_route.h
  SLIP_IFF_OPTS		opt_slip.h
 
 Modified: head/sys/netpfil/pf/pf_ioctl.c
 ==============================================================================
 --- head/sys/netpfil/pf/pf_ioctl.c	Tue Sep 18 10:54:56 2012	(r240641)
 +++ head/sys/netpfil/pf/pf_ioctl.c	Tue Sep 18 11:07:19 2012	(r240642)
 @@ -216,7 +216,11 @@ pfattach(void)
  
  	/* default rule should never be garbage collected */
  	V_pf_default_rule.entries.tqe_prev = &V_pf_default_rule.entries.tqe_next;
 +#ifdef PF_DEFAULT_TO_DROP
 +	V_pf_default_rule.action = PF_DROP;
 +#else
  	V_pf_default_rule.action = PF_PASS;
 +#endif
  	V_pf_default_rule.nr = -1;
  	V_pf_default_rule.rtableid = -1;
  
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: glebius 
State-Changed-When: Wed Jan 22 09:24:42 UTC 2014 
State-Changed-Why:  
Available in 10.0-RELEASE. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=171622 
>Unformatted:
