________________________________ From: Robert Austen <robert.aus...@willowglensystems.com> Sent: April 7, 2025 4:33 PM To: freebsd-current@freebsd.org <freebsd-current@freebsd.org>; freebsd-...@freebsd.org <freebsd-...@freebsd.org> Subject: Fw: pfil_default_to_drop
________________________________ From: Robert Austen Sent: April 7, 2025 4:21 PM To: freebsd-current@freebsd.org <freebsd-current@freebsd.org> Subject: pfil_default_to_drop Hello, I've been playing with FreeBSD and PF to build myself a new firewall, as Open/FreeBSD + PF seems to be a common starting point. I've noticed a number of people asking questions about PF_DEFAULT_TO_DROP and the like, with the observations that it's hard to ensure that packets all default to drop if the rule file(s) for whatever reason fail to load. After looking thru the online documentation, forums and scripts, I came to the conclusion that it's not a PF problem or IPFW etc or really a problem with any of the filters or scripts, the problem is at the level of PFIL, the kernel packet filtering code: If no filter is loaded, i.e. if the heads are unhooked, then PFIL sends everything thru to its destination. So my thought was to add an option PFIL_DEFAULT_TO_DROP (in essence a PFIL version of PF_DEFAULT_TO_DROP) that drops all the IPv4 and IPv6 packets that would otherwise go thru the yet-to-be-loaded chosen filter (PF or whatever) at any given time the hooks are unhooked. [No one filters on local loopback nor the link layer, so I've left those hooks untouched. I suppose one could add them, maybe PFIL_DEFAULT_LOCAL_TO_DROP or PFIL_DEFAULT_LINK_TO_DROP, but I doubt there's much demand for it.] Normally I'm an embedded linux kernel basher. I'm not entirely sure where to send this patch. Most of the threads asking the above PF questions are closed to changes, so that doesn't seem a good place. Sir Dice seems to be a common answerer of questions; I would have sent it to him/her if I could... I'm not a user of GIT, so I'm not sure how to submit a "GIT formatted patch"... I've simply diff -rdpNU 5 a copy of the @old folder with a copy of @new folder. The code was written against FreeBSD-14.1-RELEASE-amd64, but I suspect the kernel code in the networking core doesn't change much from platform to platform, or version to version. But it works, it's pretty simple, pretty small and so just in case it might be useful, I'm passing it along. thanks! Robert
<<attachment: FreeBSD-14.1-RELEASE-amd64-pfil_default_to_drop.patch.zip>>
