In message <QB1PPF4C719E46AFADEAB65EB14D2627AABEFB42@QB1PPF4C719E46A.CANPRD0 1.P ROD.OUTLOOK.COM>, Robert Austen writes: > --_000_QB1PPF4C719E46AFADEAB65EB14D2627AABEFB42QB1PPF4C719E46A_ > Content-Type: text/plain; charset="us-ascii" > Content-Transfer-Encoding: quoted-printable > > "Maybe we also want a loader tunable to enable pf(4) on load" > > Seems a complicated way to do a simple thing. imho. > > Did you happen to look at my tiny patch? > There are already a bunch of macros (PFIL_HOOKED_IN, PFIL_HOOKED_OUT) defi= > ned depending on the inclusion of INET v4 or 6. > I just cloned them as ... _UNHOOKED_ ..., and made them the NOT of the HOOK= > ED_ one, or FALSE when INET v4 or 6 is excluded > or if PFIL_DEFAULT_TO_DROP isn't defined. > > Then whereever the existing PFIL_HOOKED_IN/OUT_46 macros are used, prior to= > calling the filter hook, I just > inserted a PFIL_UNHOOKED_IN/OUT_46 check, and a 'goto drop' instead of the = > 'goto passin/out' for the 7 occurances > in if_gateway and the 3 in the NETINET code (ip_input, ip_output, ip_fastfw= > d) and the 4 in the NETINET6 code (same as netinet4 plus ip6_foward). > > easy peasy.
Easy? Patches please. > I spend 10x more time messing with the kernel Makefile + CONF structure tha= > n with my changes lol. -- Cheers, Cy Schubert <cy.schub...@cschubert.com> FreeBSD UNIX: <c...@freebsd.org> Web: https://FreeBSD.org NTP: <c...@nwtime.org> Web: https://nwtime.org e^(i*pi)+1=0 > > > ________________________________ > From: Zhenlei Huang <z...@freebsd.org> > Sent: April 9, 2025 1:48 AM > To: Robert Austen <robert.aus...@willowglensystems.com> > Cc: freebsd-current@freebsd.org <freebsd-current@freebsd.org>; freebsd-net@= > freebsd.org <freebsd-...@freebsd.org>; Kristof Provost <k...@freebsd.org>; Cy= > Schubert <c...@freebsd.org> > Subject: Re: pfil_default_to_drop > > You don't often get email from z...@freebsd.org. Learn why this is importan= > t<https://aka.ms/LearnAboutSenderIdentification> > > > On Apr 9, 2025, at 1:01 AM, Robert Austen <robert.austen@willowglensystems.= > com<mailto:robert.aus...@willowglensystems.com>> wrote: > > I respectfully disagree. > > PF_DEFAULT_TO_DROP has no effect if pfctl does not perform its ioctl call t= > o enable itself, ie. to apply any hooks. > if pfctl fails, then the hooks are left unhooked, and EVERYTHING defaults t= > o PASS, which is not what most people would intend using PF_DEFAULT_TO_DROP= > . > > Ahh, I see your problem. Yes, you're right. pf(4) requires ioctl ( DIOCSTAR= > T ) or netlink command to enable it. > > @Kristof Maybe we also want a loader tunable to enable pf(4) on load ? > > > consider this: until pf or ipf or ipfw makes an ioctl to hook themselves, t= > he pfil layer in the kernel has no idea what the filter will be, > assuming there even is one. thus PF_DEFAULT_TO_DROP has zero effect (and l= > ikewise the equivalents from the other filters). > > As for ipfw(4), by default it enables filtering on load, unless you disable= > it via loader tunable `net.inet.ip.fw.enable`, `net.inet6.ip6.fw.enable` a= > nd `net.link.ether.ipfw`. > > The compile option IPFIREWALL_DEFAULT_TO_ACCEPT or loader tunable `net.inet= > .ip.fw.default_to_accept` controls the default behavior to drop or accept. > See also https://cgit.freebsd.org/src/commit/?id=3D5f17ebf94db5ebbc7fdcff60= > e598498df6f9e2bd . > > > as I said, this is because there's no mechanism within PFIL to drop by defa= > ult, which is why I proposed (and am using on my system) the PFIL_DEFAULT_T= > O_DROP, > because it handles ALL of the 'no filter installed (yet)' cases. if PFIL_DE= > FAULT_TO_DROP isn't in the kernel config file, my patches have no effect at= > all, > so it's a simple mechanism for those that want more than PF_DEFAULT_TO_DROP= > can ever provide. > > It appears ipf(4) unconditionally enable filtering on load, and does not ha= > ve any tunables to control that. CC @Cy who is more familiar with ipf(4). > > > thanks! > ________________________________ > From: Zhenlei Huang <z...@freebsd.org<mailto:z...@freebsd.org>> > Sent: April 7, 2025 7:55 PM > To: Robert Austen <robert.aus...@willowglensystems.com<mailto:robert.austen= > @willowglensystems.com>> > Cc: freebsd-current@freebsd.org<mailto:freebsd-current@freebsd.org> <freebs= > d-curr...@freebsd.org<mailto:freebsd-current@freebsd.org>>; freebsd-net@fre= > ebsd.org<mailto:freebsd-...@freebsd.org> <freebsd-...@freebsd.org<mailto:fr= > eebsd-...@freebsd.org>>; Kristof Provost <k...@freebsd.org<mailto:kp@FreeBSD.= > org>> > Subject: Re: pfil_default_to_drop > > You don't often get email from z...@freebsd.org<mailto:z...@freebsd.org>. L= > earn why this is important<https://aka.ms/LearnAboutSenderIdentification> > > > On Apr 8, 2025, at 6:36 AM, Robert Austen <robert.austen@willowglensystems.= > com<mailto:robert.aus...@willowglensystems.com>> wrote: > > > > ________________________________ > From: Robert Austen <robert.aus...@willowglensystems.com<mailto:robert.aust= > e...@willowglensystems.com>> > Sent: April 7, 2025 4:33 PM > To: freebsd-current@freebsd.org<mailto:freebsd-current@freebsd.org> <freebs= > d-curr...@freebsd.org<mailto:freebsd-current@freebsd.org>>; freebsd-net@fre= > ebsd.org<mailto:freebsd-...@freebsd.org> <freebsd-...@freebsd.org<mailto:fr= > eebsd-...@freebsd.org>> > Subject: Fw: pfil_default_to_drop > > > ________________________________ > From: Robert Austen > Sent: April 7, 2025 4:21 PM > To: freebsd-current@freebsd.org<mailto:freebsd-current@freebsd.org> <freebs= > d-curr...@freebsd.org<mailto:freebsd-current@freebsd.org>> > Subject: pfil_default_to_drop > > Hello, > I've been playing with FreeBSD and PF to build myself a new firewall, as Op= > en/FreeBSD + PF seems to be a common starting point. > > I've noticed a number of people asking questions about PF_DEFAULT_TO_DROP a= > nd the like, with the observations that it's hard > to ensure that packets all default to drop if the rule file(s) for whatever= > reason fail to load. > > Hi Robert, > > So why not defining the compile option PF_DEFAULT_TO_DROP, and preload pf.k= > o ( via the loader(8), /boot/loader.conf ) ? > > With 13.5, or upcoming 14.3 ( you can also experiment latest stable/14 ), y= > ou can turn the loader tunable net.pf.default_to_drop to 1, and preload pf.= > ko. > See also https://cgit.freebsd.org/src/commit/?id=3Dc531c1d1462c45f7ce5de4f9= > 913226801f3073bd . > > > After looking thru the online documentation, forums and scripts, I came to = > the conclusion that it's not a PF problem or IPFW etc > or really a problem with any of the filters or scripts, the problem is at t= > he level of PFIL, the kernel packet filtering code: If no > filter is loaded, i.e. if the heads are unhooked, then PFIL sends everythin= > g thru to its destination. So my thought > was to add an option PFIL_DEFAULT_TO_DROP (in essence a PFIL version of PF_= > DEFAULT_TO_DROP) that drops all the > IPv4 and IPv6 packets that would otherwise go thru the yet-to-be-loaded cho= > sen filter (PF or whatever) at any given time the > hooks are unhooked. > > If no firewalls loaded, then the system should behave as is. I do not think= > PFIL_DEFAULT_TO_DROP is the right way to handle your case. > > > [No one filters on local loopback nor the link layer, so I've left those ho= > oks untouched. I suppose one could add them, > maybe PFIL_DEFAULT_LOCAL_TO_DROP or PFIL_DEFAULT_LINK_TO_DROP, but I doubt = > there's much demand for it.] > > Normally I'm an embedded linux kernel basher. > I'm not entirely sure where to send this patch. Most of the threads asking = > the above PF questions are closed to changes, > so that doesn't seem a good place. Sir Dice seems to be a common answerer o= > f questions; I would have sent it to him/her > if I could... > > I'm not a user of GIT, so I'm not sure how to submit a "GIT formatted patch= > "... > I've simply diff -rdpNU 5 a copy of the @old folder with a copy of @new fol= > der. The code was written against FreeBSD-14.1-RELEASE-amd64, > but I suspect the kernel code in the networking core doesn't change much fr= > om platform to platform, or version to version. > > But it works, it's pretty simple, pretty small and so just in case it might= > be useful, I'm passing it along. > > thanks! > > > Robert > > > > > <FreeBSD-14.1-RELEASE-amd64-pfil_default_to_drop.patch.zip> > > > > > --_000_QB1PPF4C719E46AFADEAB65EB14D2627AABEFB42QB1PPF4C719E46A_ > Content-Type: text/html; charset="us-ascii" > Content-Transfer-Encoding: quoted-printable > > <html> > <head> > <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"= > > > <style type=3D"text/css" style=3D"display:none;"> P {margin-top:0;margin-bo= > ttom:0;} </style> > </head> > <body dir=3D"ltr"> > <div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo= > nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c= > olor: rgb(0, 0, 0);"> > "Maybe we also want a loader tunable to enable pf(4) on load"</di= > v> > <div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo= > nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c= > olor: rgb(0, 0, 0);"> > <br> > </div> > <div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo= > nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c= > olor: rgb(0, 0, 0);"> > Seems a complicated way to do a simple thing. imho.</div> > <div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo= > nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c= > olor: rgb(0, 0, 0);"> > <br> > </div> > <div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo= > nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c= > olor: rgb(0, 0, 0);"> > Did you happen to look at my tiny patch?</div> > <div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo= > nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c= > olor: rgb(0, 0, 0);"> > There are already a bunch of macros (PFIL_HOOKED_IN, PFIL_HOOKED_OUT)= > defined depending on the inclusion of INET v4 or 6.</div> > <div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo= > nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c= > olor: rgb(0, 0, 0);"> > I just cloned them as ... _UNHOOKED_ ..., and made them the NOT of the <i>H= > OOKED</i>_ one, or FALSE when INET v4 or 6 is excluded </div> > <div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo= > nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c= > olor: rgb(0, 0, 0);"> > or if PFIL_DEFAULT_TO_DROP isn't defined. </div> > <div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo= > nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c= > olor: rgb(0, 0, 0);"> > <br> > </div> > <div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo= > nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c= > olor: rgb(0, 0, 0);"> > Then whereever the existing PFIL_HOOKED_IN/OUT_46 macros are used, prior to= > calling the filter hook, I just</div> > <div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo= > nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c= > olor: rgb(0, 0, 0);"> > inserted a PFIL_UNHOOKED_IN/OUT_46 check, and a 'goto drop' instead of the = > 'goto passin/out' for the 7 occurances</div> > <div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo= > nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c= > olor: rgb(0, 0, 0);"> > in if_gateway and the 3 in the NETINET code (ip_input, ip_output, ip_fastfw= > d) and the 4 in the NETINET6 code (same as netinet4 plus ip6_foward).= > </div> > <div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo= > nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c= > olor: rgb(0, 0, 0);"> > <br> > </div> > <div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo= > nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c= > olor: rgb(0, 0, 0);"> > easy peasy.</div> > <div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo= > nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c= > olor: rgb(0, 0, 0);"> > I spend 10x more time messing with the kernel Makefile + CONF structure tha= > n with my changes lol.</div> > <div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo= > nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c= > olor: rgb(0, 0, 0);"> > <br> > </div> > <div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo= > nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; c= > olor: rgb(0, 0, 0);"> > <br> > </div> > <div id=3D"appendonsend"></div> > <hr style=3D"display:inline-block;width:98%" tabindex=3D"-1"> > <div id=3D"divRplyFwdMsg" dir=3D"ltr"><font face=3D"Calibri, sans-serif" st= > yle=3D"font-size:11pt" color=3D"#000000"><b>From:</b> Zhenlei Huang <zle= > i...@freebsd.org><br> > <b>Sent:</b> April 9, 2025 1:48 AM<br> > <b>To:</b> Robert Austen <robert.aus...@willowglensystems.com><br> > <b>Cc:</b> freebsd-current@freebsd.org <freebsd-current@freebsd.org>;= > freebsd-...@freebsd.org <freebsd-...@freebsd.org>; Kristof Provost &= > lt;k...@freebsd.org>; Cy Schubert <c...@freebsd.org><br> > <b>Subject:</b> Re: pfil_default_to_drop</font> > <div> </div> > </div> > <div class=3D"" style=3D"word-wrap:break-word; line-break:after-white-space= > "> > <table border=3D"0" cellspacing=3D"0" cellpadding=3D"0" width=3D"100%" alig= > n=3D"left" style=3D"background:revert!important; border:revert!important; b= > ottom:revert!important; color:revert!important; direction:revert!important;= > display:revert!important; font-size:revert!important; height:revert!import= > ant; letter-spacing:revert!important; line-height:revert!important; margin:= > revert!important; opacity:revert!important; order:revert!important; outline= > :revert!important; overflow:revert!important; padding:revert!important; pos= > ition:revert!important; tab-size:revert!important; table-layout:revert!impo= > rtant; text-align:revert!important; text-indent:revert!important; text-orie= > ntation:revert!important; text-overflow:revert!important; text-transform:re= > vert!important; top:revert!important; vertical-align:revert!important; visi= > bility:revert!important; white-space:revert!important; width:revert!importa= > nt; word-break:revert!important; word-spacing:revert!important; writing-mod= > e:revert!important; zoom:revert!important; border:0!important; display:tabl= > e!important; width:100%!important; table-layout:fixed!important; border-col= > lapse:seperate!important; float:none!important; border-spacing:0px 0px!impo= > rtant"> > <tbody style=3D"background:revert!important; border:revert!important; botto= > m:revert!important; color:revert!important; direction:revert!important; dis= > play:revert!important; font-size:revert!important; height:revert!important;= > letter-spacing:revert!important; line-height:revert!important; margin:reve= > rt!important; opacity:revert!important; order:revert!important; outline:rev= > ert!important; overflow:revert!important; padding:revert!important; positio= > n:revert!important; tab-size:revert!important; table-layout:revert!importan= > t; text-align:revert!important; text-indent:revert!important; text-orientat= > ion:revert!important; text-overflow:revert!important; text-transform:revert= > !important; top:revert!important; vertical-align:revert!important; visibili= > ty:revert!important; white-space:revert!important; width:revert!important; = > word-break:revert!important; word-spacing:revert!important; writing-mode:re= > vert!important; zoom:revert!important; display:block!important"> > <tr style=3D"background:revert!important; border:revert!important; bottom:r= > evert!important; color:revert!important; direction:revert!important; displa= > y:revert!important; font-size:revert!important; height:revert!important; le= > tter-spacing:revert!important; line-height:revert!important; margin:revert!= > important; opacity:revert!important; order:revert!important; outline:revert= > !important; overflow:revert!important; padding:revert!important; position:r= > evert!important; tab-size:revert!important; table-layout:revert!important; = > text-align:revert!important; text-indent:revert!important; text-orientation= > :revert!important; text-overflow:revert!important; text-transform:revert!im= > portant; top:revert!important; vertical-align:revert!important; visibility:= > revert!important; white-space:revert!important; width:revert!important; wor= > d-break:revert!important; word-spacing:revert!important; writing-mode:rever= > t!important; zoom:revert!important"> > <td valign=3D"middle" width=3D"1px" bgcolor=3D"#A6A6A6" cellpadding=3D"7px = > 2px 7px 2px" style=3D"background:revert!important; border:revert!important;= > bottom:revert!important; color:revert!important; direction:revert!importan= > t; display:revert!important; font-size:revert!important; height:revert!impo= > rtant; letter-spacing:revert!important; line-height:revert!important; margi= > n:revert!important; opacity:revert!important; order:revert!important; outli= > ne:revert!important; overflow:revert!important; padding:revert!important; p= > osition:revert!important; tab-size:revert!important; table-layout:revert!im= > portant; text-align:revert!important; text-indent:revert!important; text-or= > ientation:revert!important; text-overflow:revert!important; text-transform:= > revert!important; top:revert!important; vertical-align:revert!important; vi= > sibility:revert!important; white-space:revert!important; width:revert!impor= > tant; word-break:revert!important; word-spacing:revert!important; writing-m= > ode:revert!important; zoom:revert!important; padding:7px 2px 7px 2px!import= > ant; background-color:#A6A6A6!important; width:0px!important"> > </td> > <td valign=3D"middle" width=3D"100%" bgcolor=3D"#EAEAEA" cellpadding=3D"7px= > 5px 7px 15px" color=3D"#212121" style=3D"background:revert!important; bord= > er:revert!important; bottom:revert!important; color:revert!important; direc= > tion:revert!important; display:revert!important; font-size:revert!important= > ; height:revert!important; letter-spacing:revert!important; line-height:rev= > ert!important; margin:revert!important; opacity:revert!important; order:rev= > ert!important; outline:revert!important; overflow:revert!important; padding= > :revert!important; position:revert!important; tab-size:revert!important; ta= > ble-layout:revert!important; text-align:revert!important; text-indent:rever= > t!important; text-orientation:revert!important; text-overflow:revert!import= > ant; text-transform:revert!important; top:revert!important; vertical-align:= > revert!important; visibility:revert!important; white-space:revert!important= > ; width:revert!important; word-break:revert!important; word-spacing:revert!= > important; writing-mode:revert!important; zoom:revert!important; width:100%= > !important; background-color:#EAEAEA!important; padding:7px 5px 7px 15px!im= > portant; font-family:wf_segoe-ui_normal,Segoe UI,Segoe WP,Tahoma,Arial,sans= > -serif!important; font-size:12px!important; font-weight:normal!important; c= > olor:#212121!important; text-align:left!important; word-wrap:break-word!imp= > ortant"> > <div style=3D"background:revert!important; border:revert!important; bottom:= > revert!important; color:revert!important; direction:revert!important; displ= > ay:revert!important; font-size:revert!important; height:revert!important; l= > etter-spacing:revert!important; line-height:revert!important; margin:revert= > !important; opacity:revert!important; order:revert!important; outline:rever= > t!important; overflow:revert!important; padding:revert!important; position:= > revert!important; tab-size:revert!important; table-layout:revert!important;= > text-align:revert!important; text-indent:revert!important; text-orientatio= > n:revert!important; text-overflow:revert!important; text-transform:revert!i= > mportant; top:revert!important; vertical-align:revert!important; visibility= > :revert!important; white-space:revert!important; width:revert!important; wo= > rd-break:revert!important; word-spacing:revert!important; writing-mode:reve= > rt!important; zoom:revert!important"> > You don't often get email from z...@freebsd.org. <a href=3D"https://aka.ms/= > LearnAboutSenderIdentification" style=3D"background:revert!important; color= > :revert!important; direction:revert!important; display:revert!important; fo= > nt-size:revert!important; opacity:revert!important; visibility:revert!impor= > tant"> > Learn why this is important</a> </div> > </td> > <td valign=3D"middle" align=3D"left" width=3D"75px" bgcolor=3D"#EAEAEA" cel= > lpadding=3D"7px 5px 7px 5px" color=3D"#212121" style=3D"background:revert!i= > mportant; border:revert!important; bottom:revert!important; color:revert!im= > portant; direction:revert!important; display:revert!important; font-size:re= > vert!important; height:revert!important; letter-spacing:revert!important; l= > ine-height:revert!important; margin:revert!important; opacity:revert!import= > ant; order:revert!important; outline:revert!important; overflow:revert!impo= > rtant; padding:revert!important; position:revert!important; tab-size:revert= > !important; table-layout:revert!important; text-align:revert!important; tex= > t-indent:revert!important; text-orientation:revert!important; text-overflow= > :revert!important; text-transform:revert!important; top:revert!important; v= > ertical-align:revert!important; visibility:revert!important; white-space:re= > vert!important; width:revert!important; word-break:revert!important; word-s= > pacing:revert!important; writing-mode:revert!important; zoom:revert!importa= > nt; width:75px!important; background-color:#EAEAEA!important; padding:7px 5= > px 7px 5px!important; font-family:wf_segoe-ui_normal,Segoe UI,Segoe WP,Taho= > ma,Arial,sans-serif!important; font-size:12px!important; font-weight:normal= > !important; color:#212121!important; text-align:left!important; word-wrap:b= > reak-word!important"> > </td> > </tr> > </tbody> > </table> > <div><br class=3D""> > <div><br class=3D""> > <blockquote type=3D"cite" class=3D""> > <div class=3D"">On Apr 9, 2025, at 1:01 AM, Robert Austen <<a href=3D"ma= > ilto:robert.aus...@willowglensystems.com" class=3D"">robert.austen@willowgl= > ensystems.com</a>> wrote:</div> > <br class=3D"x_Apple-interchange-newline"> > <div class=3D""> > <div class=3D"x_elementToProof" style=3D"font-style:normal; font-variant-ca= > ps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-i= > ndent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-= > decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,C= > alibri,Helvetica,sans-serif; font-size:12pt"> > I respectfully disagree.</div> > <div class=3D"x_elementToProof" style=3D"font-style:normal; font-variant-ca= > ps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-i= > ndent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-= > decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,C= > alibri,Helvetica,sans-serif; font-size:12pt"> > <br class=3D""> > </div> > <div class=3D"x_elementToProof" style=3D"font-style:normal; font-variant-ca= > ps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-i= > ndent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-= > decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,C= > alibri,Helvetica,sans-serif; font-size:12pt"> > PF_DEFAULT_TO_DROP has no effect if pfctl does not perform its ioctl call t= > o enable itself, ie. to apply any hooks.</div> > <div class=3D"x_elementToProof" style=3D"font-style:normal; font-variant-ca= > ps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-i= > ndent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-= > decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,C= > alibri,Helvetica,sans-serif; font-size:12pt"> > if pfctl fails, then the hooks are left unhooked, and EVERYTHING defaults t= > o PASS, which is not what most people would intend using PF_DEFAULT_TO_DROP= > .</div> > </div> > </blockquote> > <div><br class=3D""> > </div> > <div>Ahh, I see your problem. Yes, you're right. pf(4) requires ioctl (&nbs= > p;DIOCSTART ) or netlink command to enable it.</div> > <div><br class=3D""> > </div> > <div>@Kristof Maybe we also want a loader tunable to enable pf(4) on load ?= > </div> > <br class=3D""> > <blockquote type=3D"cite" class=3D""> > <div class=3D""> > <div class=3D"x_elementToProof" style=3D"font-style:normal; font-variant-ca= > ps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-i= > ndent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-= > decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,C= > alibri,Helvetica,sans-serif; font-size:12pt"> > <br class=3D""> > </div> > <div class=3D"x_elementToProof" style=3D"font-style:normal; font-variant-ca= > ps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-i= > ndent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-= > decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,C= > alibri,Helvetica,sans-serif; font-size:12pt"> > consider this: until pf or ipf or ipfw makes an ioctl to hook themselves, t= > he pfil layer in the kernel has no idea what the filter will be,</div> > <div class=3D"x_elementToProof" style=3D"font-style:normal; font-variant-ca= > ps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-i= > ndent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-= > decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,C= > alibri,Helvetica,sans-serif; font-size:12pt"> > assuming there even is one. thus PF_DEFAULT_TO_DROP has zero effect (= > and likewise the equivalents from the other filters).</div> > </div> > </blockquote> > <div><br class=3D""> > </div> > <div>As for ipfw(4), by default it enables filtering on load, unless you di= > sable it via loader tunable `net.inet.ip.fw.enable`, `net.inet6.ip6.fw.enab= > le` and `net.link.ether.ipfw`.</div> > <div><br class=3D""> > </div> > <div>The compile option IPFIREWALL_DEFAULT_TO_ACCEPT or loader tunable= > `net.inet.ip.fw.default_to_accept` controls the default behavior to drop o= > r accept.</div> > <div>See also <a href=3D"https://cgit.freebsd.org/src/commit/?id=3D5f1= > 7ebf94db5ebbc7fdcff60e598498df6f9e2bd" class=3D"">https://cgit.freebsd.org/= > src/commit/?id=3D5f17ebf94db5ebbc7fdcff60e598498df6f9e2bd</a> .</div> > <br class=3D""> > <blockquote type=3D"cite" class=3D""> > <div class=3D""> > <div class=3D"x_elementToProof" style=3D"font-style:normal; font-variant-ca= > ps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-i= > ndent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-= > decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,C= > alibri,Helvetica,sans-serif; font-size:12pt"> > <br class=3D""> > </div> > <div class=3D"x_elementToProof" style=3D"font-style:normal; font-variant-ca= > ps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-i= > ndent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-= > decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,C= > alibri,Helvetica,sans-serif; font-size:12pt"> > as I said, this is because there's no mechanism within PFIL to drop by defa= > ult, which is why I proposed (and am using on my system) the PFIL_DEFAULT_T= > O_DROP,</div> > <div class=3D"x_elementToProof" style=3D"font-style:normal; font-variant-ca= > ps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-i= > ndent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-= > decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,C= > alibri,Helvetica,sans-serif; font-size:12pt"> > because it handles ALL of the 'no filter installed (yet)' cases. if PFIL_DE= > FAULT_TO_DROP isn't in the kernel config file, my patches have no effect at= > all,</div> > <div class=3D"x_elementToProof" style=3D"font-style:normal; font-variant-ca= > ps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-i= > ndent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-= > decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,C= > alibri,Helvetica,sans-serif; font-size:12pt"> > so it's a simple mechanism for those that want more than PF_DEFAULT_TO_DROP= > can ever provide.</div> > </div> > </blockquote> > <div><br class=3D""> > </div> > <div>It appears ipf(4) unconditionally enable filtering on load, and does n= > ot have any tunables to control that. CC @Cy who is more familiar with ipf(= > 4).</div> > <br class=3D""> > <blockquote type=3D"cite" class=3D""> > <div class=3D""> > <div class=3D"x_elementToProof" style=3D"font-style:normal; font-variant-ca= > ps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-i= > ndent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-= > decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,C= > alibri,Helvetica,sans-serif; font-size:12pt"> > <br class=3D""> > </div> > <div class=3D"x_elementToProof" style=3D"font-style:normal; font-variant-ca= > ps:normal; font-weight:400; letter-spacing:normal; text-align:start; text-i= > ndent:0px; text-transform:none; white-space:normal; word-spacing:0px; text-= > decoration:none; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,C= > alibri,Helvetica,sans-serif; font-size:12pt"> > thanks!</div> > <div id=3D"x_appendonsend" class=3D"" style=3D"font-family:Helvetica; font-= > size:13px; font-style:normal; font-variant-caps:normal; font-weight:400; le= > tter-spacing:normal; text-align:start; text-indent:0px; text-transform:none= > ; white-space:normal; word-spacing:0px; text-decoration:none"> > </div> > <hr tabindex=3D"-1" class=3D"" style=3D"font-family:Helvetica; font-size:13= > px; font-style:normal; font-variant-caps:normal; font-weight:400; letter-sp= > acing:normal; text-align:start; text-indent:0px; text-transform:none; white= > -space:normal; word-spacing:0px; text-decoration:none; display:inline-block= > ; width:563.5px"> > <span class=3D"" style=3D"font-family:Helvetica; font-size:13px; font-style= > :normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; = > text-align:start; text-indent:0px; text-transform:none; white-space:normal;= > word-spacing:0px; text-decoration:none; float:none; display:inline!importa= > nt"></span> > <div id=3D"x_divRplyFwdMsg" dir=3D"ltr" class=3D"" style=3D"font-family:Hel= > vetica; font-size:13px; font-style:normal; font-variant-caps:normal; font-w= > eight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-t= > ransform:none; white-space:normal; word-spacing:0px; text-decoration:none"> > <font face=3D"Calibri, sans-serif" class=3D"" style=3D"font-size:11pt"><b c= > lass=3D"">From:</b><span class=3D"x_Apple-converted-space"> </span>Zhe= > nlei Huang <<a href=3D"mailto:z...@freebsd.org"; class=3D"">zlei@FreeBSD.= > org</a>><br class=3D""> > <b class=3D"">Sent:</b><span class=3D"x_Apple-converted-space"> </span= > >April 7, 2025 7:55 PM<br class=3D""> > <b class=3D"">To:</b><span class=3D"x_Apple-converted-space"> </span>R= > obert Austen <<a href=3D"mailto:robert.aus...@willowglensystems.com"; cla= > ss=3D"">robert.aus...@willowglensystems.com</a>><br class=3D""> > <b class=3D"">Cc:</b><span class=3D"x_Apple-converted-space"> </span><= > a href=3D"mailto:freebsd-current@freebsd.org"; class=3D"">freebsd-current@fr= > eebsd.org</a><span class=3D"x_Apple-converted-space"> </span><<a hr= > ef=3D"mailto:freebsd-current@freebsd.org"; class=3D"">freebsd-current@freebs= > d.org</a>>;<span class=3D"x_Apple-converted-space"> </span><a href= > =3D"mailto:freebsd-...@freebsd.org"; class=3D"">freebsd-...@freebsd.org</a><= > span class=3D"x_Apple-converted-space"> </span><<a href=3D"mailto:f= > reebsd-...@freebsd.org" class=3D"">freebsd-...@freebsd.org</a>>; > Kristof Provost <<a href=3D"mailto:k...@freebsd.org"; class=3D"">kp@FreeBS= > D.org</a>><br class=3D""> > <b class=3D"">Subject:</b><span class=3D"x_Apple-converted-space"> </s= > pan>Re: pfil_default_to_drop</font> > <div class=3D""> </div> > </div> > <div class=3D"" style=3D"font-family:Helvetica; font-size:13px; font-style:= > normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; t= > ext-align:start; text-indent:0px; text-transform:none; white-space:normal; = > word-spacing:0px; text-decoration:none; word-wrap:break-word; line-break:af= > ter-white-space"> > <table border=3D"0" cellspacing=3D"0" cellpadding=3D"0" width=3D"100%" alig= > n=3D"left" class=3D"" style=3D"background-image:revert!important; backgroun= > d-size:revert!important; background-attachment:revert!important; background= > -origin:revert!important; background-clip:revert!important; background-colo= > r:revert!important; bottom:revert!important; color:revert!important; direct= > ion:revert!important; font-size:revert!important; height:revert!important; = > letter-spacing:revert!important; line-height:revert!important; margin:rever= > t!important; opacity:revert!important; order:revert!important; outline:reve= > rt!important; overflow:revert!important; padding:revert!important; position= > :revert!important; tab-size:revert!important; text-align:revert!important; = > text-indent:revert!important; text-orientation:revert!important; text-overf= > low:revert!important; text-transform:revert!important; top:revert!important= > ; vertical-align:revert!important; visibility:revert!important; white-space= > :revert!important; word-break:revert!important; word-spacing:revert!importa= > nt; writing-mode:revert!important; zoom:revert!important; border:0px!import= > ant; display:table!important; width:575px; table-layout:fixed!important; fl= > oat:none!important; border-spacing:0px!important; background-position:rever= > t!important; background-repeat:revert!important"> > <tbody class=3D"" style=3D"background-image:revert!important; background-si= > ze:revert!important; background-attachment:revert!important; background-ori= > gin:revert!important; background-clip:revert!important; background-color:re= > vert!important; border:revert!important; bottom:revert!important; color:rev= > ert!important; direction:revert!important; font-size:revert!important; heig= > ht:revert!important; letter-spacing:revert!important; line-height:revert!im= > portant; margin:revert!important; opacity:revert!important; order:revert!im= > portant; outline:revert!important; overflow:revert!important; padding:rever= > t!important; position:revert!important; tab-size:revert!important; table-la= > yout:revert!important; text-align:revert!important; text-indent:revert!impo= > rtant; text-orientation:revert!important; text-overflow:revert!important; t= > ext-transform:revert!important; top:revert!important; vertical-align:revert= > !important; visibility:revert!important; white-space:revert!important; widt= > h:revert!important; word-break:revert!important; word-spacing:revert!import= > ant; writing-mode:revert!important; zoom:revert!important; display:block!im= > portant; background-position:revert!important; background-repeat:revert!imp= > ortant"> > <tr class=3D"" style=3D"background-image:revert!important; background-size:= > revert!important; background-attachment:revert!important; background-origin= > :revert!important; background-clip:revert!important; background-color:rever= > t!important; border:revert!important; bottom:revert!important; color:revert= > !important; direction:revert!important; display:revert!important; font-size= > :revert!important; height:revert!important; letter-spacing:revert!important= > ; line-height:revert!important; margin:revert!important; opacity:revert!imp= > ortant; order:revert!important; outline:revert!important; overflow:revert!i= > mportant; padding:revert!important; position:revert!important; tab-size:rev= > ert!important; table-layout:revert!important; text-align:revert!important; = > text-indent:revert!important; text-orientation:revert!important; text-overf= > low:revert!important; text-transform:revert!important; top:revert!important= > ; vertical-align:revert!important; visibility:revert!important; white-space= > :revert!important; width:revert!important; word-break:revert!important; wor= > d-spacing:revert!important; writing-mode:revert!important; zoom:revert!impo= > rtant; background-position:revert!important; background-repeat:revert!impor= > tant"> > <td valign=3D"middle" width=3D"1px" bgcolor=3D"#A6A6A6" cellpadding=3D"7px = > 2px 7px 2px" class=3D"" style=3D"background-image:revert!important; backgro= > und-size:revert!important; background-attachment:revert!important; backgrou= > nd-origin:revert!important; background-clip:revert!important; border:revert= > !important; bottom:revert!important; color:revert!important; direction:reve= > rt!important; display:revert!important; font-size:revert!important; height:= > revert!important; letter-spacing:revert!important; line-height:revert!impor= > tant; margin:revert!important; opacity:revert!important; order:revert!impor= > tant; outline:revert!important; overflow:revert!important; position:revert!= > important; tab-size:revert!important; table-layout:revert!important; text-a= > lign:revert!important; text-indent:revert!important; text-orientation:rever= > t!important; text-overflow:revert!important; text-transform:revert!importan= > t; top:revert!important; vertical-align:revert!important; visibility:revert= > !important; white-space:revert!important; word-break:revert!important; word= > -spacing:revert!important; writing-mode:revert!important; zoom:revert!impor= > tant; padding:7px 2px!important; background-color:rgb(166,166,166)!importan= > t; width:0px!important; background-position:revert!important; background-re= > peat:revert!important"> > </td> > <td valign=3D"middle" width=3D"100%" bgcolor=3D"#EAEAEA" cellpadding=3D"7px= > 5px 7px 15px" class=3D"" style=3D"background-image:revert!important; backg= > round-size:revert!important; background-attachment:revert!important; backgr= > ound-origin:revert!important; background-clip:revert!important; border:reve= > rt!important; bottom:revert!important; direction:revert!important; display:= > revert!important; height:revert!important; letter-spacing:revert!important;= > line-height:revert!important; margin:revert!important; opacity:revert!impo= > rtant; order:revert!important; outline:revert!important; overflow:revert!im= > portant; position:revert!important; tab-size:revert!important; table-layout= > :revert!important; text-indent:revert!important; text-orientation:revert!im= > portant; text-overflow:revert!important; text-transform:revert!important; t= > op:revert!important; vertical-align:revert!important; visibility:revert!imp= > ortant; white-space:revert!important; word-break:revert!important; word-spa= > cing:revert!important; writing-mode:revert!important; zoom:revert!important= > ; width:541px; background-color:rgb(234,234,234)!important; padding:7px 5px= > 7px 15px!important; font-family:wf_segoe-ui_normal,"Segoe UI",&q= > uot;Segoe WP",Tahoma,Arial,sans-serif!important; font-size:12px!import= > ant; font-weight:normal!important; color:rgb(33,33,33)!important; text-alig= > n:left!important; word-wrap:break-word!important; background-position:rever= > t!important; background-repeat:revert!important"> > <div class=3D"" style=3D"background-image:revert!important; background-size= > :revert!important; background-attachment:revert!important; background-origi= > n:revert!important; background-clip:revert!important; background-color:reve= > rt!important; border:revert!important; bottom:revert!important; color:rever= > t!important; direction:revert!important; display:revert!important; font-siz= > e:revert!important; height:revert!important; letter-spacing:revert!importan= > t; line-height:revert!important; margin:revert!important; opacity:revert!im= > portant; order:revert!important; outline:revert!important; overflow:revert!= > important; padding:revert!important; position:revert!important; tab-size:re= > vert!important; table-layout:revert!important; text-align:revert!important;= > text-indent:revert!important; text-orientation:revert!important; text-over= > flow:revert!important; text-transform:revert!important; top:revert!importan= > t; vertical-align:revert!important; visibility:revert!important; white-spac= > e:revert!important; width:revert!important; word-break:revert!important; wo= > rd-spacing:revert!important; writing-mode:revert!important; zoom:revert!imp= > ortant; background-position:revert!important; background-repeat:revert!impo= > rtant"> > You don't often get email from<span class=3D"x_Apple-converted-space"> = > ;</span><a href=3D"mailto:z...@freebsd.org"; class=3D"">z...@freebsd.org</a>= > .<span class=3D"x_Apple-converted-space"> </span><a href=3D"https://ak= > a.ms/LearnAboutSenderIdentification" class=3D"" style=3D"background-image:r= > evert!important; background-size:revert!important; background-attachment:re= > vert!important; background-origin:revert!important; background-clip:revert!= > important; background-color:revert!important; color:revert!important; direc= > tion:revert!important; display:revert!important; font-size:revert!important= > ; opacity:revert!important; visibility:revert!important; background-positio= > n:revert!important; background-repeat:revert!important">Learn > why this is important</a></div> > </td> > <td valign=3D"middle" align=3D"left" width=3D"75px" bgcolor=3D"#EAEAEA" cel= > lpadding=3D"7px 5px 7px 5px" class=3D"" style=3D"background-image:revert!im= > portant; background-size:revert!important; background-attachment:revert!imp= > ortant; background-origin:revert!important; background-clip:revert!importan= > t; border:revert!important; bottom:revert!important; direction:revert!impor= > tant; display:revert!important; height:revert!important; letter-spacing:rev= > ert!important; line-height:revert!important; margin:revert!important; opaci= > ty:revert!important; order:revert!important; outline:revert!important; over= > flow:revert!important; position:revert!important; tab-size:revert!important= > ; table-layout:revert!important; text-indent:revert!important; text-orienta= > tion:revert!important; text-overflow:revert!important; text-transform:rever= > t!important; top:revert!important; vertical-align:revert!important; visibil= > ity:revert!important; white-space:revert!important; word-break:revert!impor= > tant; word-spacing:revert!important; writing-mode:revert!important; zoom:re= > vert!important; width:75px!important; background-color:rgb(234,234,234)!imp= > ortant; padding:7px 5px!important; font-family:wf_segoe-ui_normal,"Seg= > oe UI","Segoe WP",Tahoma,Arial,sans-serif!important; font-si= > ze:12px!important; font-weight:normal!important; color:rgb(33,33,33)!import= > ant; text-align:left!important; word-wrap:break-word!important; background-= > position:revert!important; background-repeat:revert!important"> > </td> > </tr> > </tbody> > </table> > <div class=3D""><br class=3D""> > <div class=3D""><br class=3D""> > <blockquote type=3D"cite" class=3D""> > <div class=3D"">On Apr 8, 2025, at 6:36 AM, Robert Austen <<a href=3D"ma= > ilto:robert.aus...@willowglensystems.com" class=3D"">robert.austen@willowgl= > ensystems.com</a>> wrote:</div> > <br class=3D"x_x_Apple-interchange-newline"> > <div class=3D""> > <div class=3D"" style=3D"font-style:normal; font-variant-caps:normal; font-= > weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica= > ,sans-serif; font-size:12pt"> > <br class=3D"x_x_Apple-interchange-newline"> > <br class=3D""> > </div> > <div id=3D"x_x_appendonsend" class=3D"" style=3D"font-family:Helvetica; fon= > t-size:13px; font-style:normal; font-variant-caps:normal; font-weight:400; = > letter-spacing:normal; text-align:start; text-indent:0px; text-transform:no= > ne; white-space:normal; word-spacing:0px; text-decoration:none"> > </div> > <hr class=3D"" style=3D"font-family:Helvetica; font-size:13px; font-style:n= > ormal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; te= > xt-align:start; text-indent:0px; text-transform:none; white-space:normal; w= > ord-spacing:0px; text-decoration:none; display:inline-block; width:576.2343= > 75px"> > <span class=3D"" style=3D"font-family:Helvetica; font-size:13px; font-style= > :normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; = > text-align:start; text-indent:0px; text-transform:none; white-space:normal;= > word-spacing:0px; text-decoration:none; float:none; display:inline!importa= > nt"></span> > <div dir=3D"ltr" id=3D"x_x_divRplyFwdMsg" class=3D"" style=3D"font-family:H= > elvetica; font-size:13px; font-style:normal; font-variant-caps:normal; font= > -weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text= > -transform:none; white-space:normal; word-spacing:0px; text-decoration:none= > "> > <span class=3D"" style=3D"font-family:Calibri,sans-serif; font-size:11pt"><= > b class=3D"">From:</b> Robert Austen <<a href=3D"mailto:robert.aust= > e...@willowglensystems.com" class=3D"">robert.aus...@willowglensystems.com</a= > >><br class=3D""> > <b class=3D"">Sent:</b> April 7, 2025 4:33 PM<br class=3D""> > <b class=3D"">To:</b> <a href=3D"mailto:freebsd-current@freebsd.org"; c= > lass=3D"">freebsd-current@freebsd.org</a><span class=3D"x_x_Apple-converted= > -space"> </span><<a href=3D"mailto:freebsd-current@freebsd.org"; cla= > ss=3D"">freebsd-current@freebsd.org</a>>;<span class=3D"x_x_Apple-conver= > ted-space"> </span><a href=3D"mailto:freebsd-...@freebsd.org"; class=3D= > "">freebsd-...@freebsd.org</a><span class=3D"x_x_Apple-converted-space">&nb= > sp;</span><<a href=3D"mailto:freebsd-...@freebsd.org"; class=3D"">freebsd= > -n...@freebsd.org</a>><br class=3D""> > <b class=3D"">Subject:</b> Fw: pfil_default_to_drop</span> > <div class=3D""> </div> > </div> > <div class=3D"" style=3D"font-style:normal; font-variant-caps:normal; font-= > weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > <br class=3D""> > </div> > <div id=3D"x_x_x_appendonsend" class=3D"" style=3D"font-family:Helvetica; f= > ont-size:13px; font-style:normal; font-variant-caps:normal; font-weight:400= > ; letter-spacing:normal; text-align:start; text-indent:0px; text-transform:= > none; white-space:normal; word-spacing:0px; text-decoration:none"> > </div> > <hr class=3D"" style=3D"font-family:Helvetica; font-size:13px; font-style:n= > ormal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; te= > xt-align:start; text-indent:0px; text-transform:none; white-space:normal; w= > ord-spacing:0px; text-decoration:none; direction:ltr; display:inline-block;= > width:576.234375px"> > <span class=3D"" style=3D"font-family:Helvetica; font-size:13px; font-style= > :normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; = > text-align:start; text-indent:0px; text-transform:none; white-space:normal;= > word-spacing:0px; text-decoration:none; float:none; display:inline!importa= > nt"></span> > <div dir=3D"ltr" id=3D"x_x_x_divRplyFwdMsg" class=3D"" style=3D"font-family= > :Helvetica; font-size:13px; font-style:normal; font-variant-caps:normal; fo= > nt-weight:400; letter-spacing:normal; text-align:start; text-indent:0px; te= > xt-transform:none; white-space:normal; word-spacing:0px; text-decoration:no= > ne"> > <span class=3D"" style=3D"font-family:Calibri,sans-serif; font-size:11pt"><= > b class=3D"">From:</b> Robert Austen<br class=3D""> > <b class=3D"">Sent:</b> April 7, 2025 4:21 PM<br class=3D""> > <b class=3D"">To:</b> <a href=3D"mailto:freebsd-current@freebsd.org"; c= > lass=3D"">freebsd-current@freebsd.org</a><span class=3D"x_x_Apple-converted= > -space"> </span><<a href=3D"mailto:freebsd-current@freebsd.org"; cla= > ss=3D"">freebsd-current@freebsd.org</a>><br class=3D""> > <b class=3D"">Subject:</b> pfil_default_to_drop</span> > <div class=3D""> </div> > </div> > <div class=3D"" style=3D"font-style:normal; font-variant-caps:normal; font-= > weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > Hello,</div> > <div class=3D"" style=3D"font-style:normal; font-variant-caps:normal; font-= > weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > I've been playing with FreeBSD and PF to build myself a new firewall, as Op= > en/FreeBSD + PF seems to be a common starting point.</div> > <div class=3D"" style=3D"font-style:normal; font-variant-caps:normal; font-= > weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > <br class=3D""> > </div> > <div class=3D"" style=3D"font-style:normal; font-variant-caps:normal; font-= > weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > I've noticed a number of people asking questions about PF_DEFAULT_TO_DROP a= > nd the like, with the observations that it's hard</div> > <div class=3D"" style=3D"font-style:normal; font-variant-caps:normal; font-= > weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > to ensure that packets all default to drop if the rule file(s) for whatever= > reason fail to load. </div> > </div> > </blockquote> > <div class=3D""><br class=3D""> > </div> > <div class=3D"">Hi Robert,</div> > <div class=3D""><br class=3D""> > </div> > <div class=3D"">So why not defining the compile option PF_DEFAULT_TO_D= > ROP, and preload <span class=3D"" style=3D"">pf.ko ( via the loader(8)= > , </span><span class=3D"" style=3D"">/boot/loader.conf ) ?</span></div= > > > <div class=3D""><span class=3D"" style=3D""><br class=3D""> > </span></div> > <div class=3D""><font class=3D"">With 13.5, or upcoming 14.3 ( you can also= > experiment latest stable/14 ), you can<span class=3D"x_Apple-converte= > d-space"> </span></font><span class=3D"" style=3D"">turn the loader tu= > nable net.pf.default_to_drop to 1, and </span><span class=3D"" st= > yle=3D"">preload </span><span class=3D"" style=3D"">pf.ko.</span></div= > > > <div class=3D"">See also <a href=3D"https://cgit.freebsd.org/src/commi= > t/?id=3Dc531c1d1462c45f7ce5de4f9913226801f3073bd" class=3D"">https://cgit.f= > reebsd.org/src/commit/?id=3Dc531c1d1462c45f7ce5de4f9913226801f3073bd</a>&nb= > sp;.</div> > <div class=3D""><br class=3D""> > </div> > <blockquote type=3D"cite" class=3D""> > <div class=3D""> > <div class=3D"" style=3D"font-style:normal; font-variant-caps:normal; font-= > weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > <br class=3D""> > </div> > <div class=3D"" style=3D"font-style:normal; font-variant-caps:normal; font-= > weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > After looking thru the online documentation, forums and scripts, I came to = > the conclusion that it's not a PF problem or IPFW etc</div> > <div class=3D"" style=3D"font-style:normal; font-variant-caps:normal; font-= > weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > or really a problem with any of the filters or scripts, the problem is at t= > he level of PFIL, the kernel packet filtering code: If no</div> > <div class=3D"" style=3D"font-style:normal; font-variant-caps:normal; font-= > weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > filter is loaded, i.e. if the heads are unhooked, then PFIL sends<span clas= > s=3D"x_x_Apple-converted-space"> </span><b class=3D"">everything</b>&n= > bsp;thru to its destination. So my thought </div> > <div class=3D"" style=3D"font-style:normal; font-variant-caps:normal; font-= > weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > was to add an option PFIL_DEFAULT_TO_DROP (in essence a PFIL version of PF_= > DEFAULT_TO_DROP) that drops all the</div> > <div class=3D"" style=3D"font-style:normal; font-variant-caps:normal; font-= > weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > IPv4 and IPv6 packets that would otherwise go thru the yet-to-be-loaded cho= > sen filter (PF or whatever) at any given time the </div> > <div class=3D"" style=3D"font-style:normal; font-variant-caps:normal; font-= > weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > hooks are unhooked. </div> > </div> > </blockquote> > <div class=3D""><br class=3D""> > </div> > <div class=3D"">If no firewalls loaded, then the system should behave as is= > . I do not think PFIL_DEFAULT_TO_DROP is the right way to handle your = > case.</div> > <br class=3D""> > <blockquote type=3D"cite" class=3D""> > <div class=3D""> > <div class=3D"" style=3D"font-style:normal; font-variant-caps:normal; font-= > weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > <br class=3D""> > </div> > <div class=3D"" style=3D"font-style:normal; font-variant-caps:normal; font-= > weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > [No one filters on local loopback nor the link layer, so I've left those ho= > oks untouched. I suppose one could add them,</div> > <div class=3D"" style=3D"font-style:normal; font-variant-caps:normal; font-= > weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > maybe PFIL_DEFAULT_LOCAL_TO_DROP or PFIL_DEFAULT_LINK_TO_DROP, but I doubt = > there's much demand for it.]</div> > <div class=3D"" style=3D"font-style:normal; font-variant-caps:normal; font-= > weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > <br class=3D""> > </div> > <div class=3D"" style=3D"font-style:normal; font-variant-caps:normal; font-= > weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > Normally I'm an embedded linux kernel basher.</div> > <div class=3D"" style=3D"font-style:normal; font-variant-caps:normal; font-= > weight:400; letter-spacing:normal; text-indent:0px; text-transform:none; wh= > ite-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; te= > xt-align:left; margin:0px; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFon= > tService,Calibri,Helvetica,sans-serif; font-size:12pt"> > I'm not entirely sure where to send this patch. Most of the threads asking = > the above PF questions are closed to changes,</div> > <div class=3D"" style=3D"font-style:normal; font-variant-caps:normal; font-= > weight:400; letter-spacing:normal; text-indent:0px; text-transform:none; wh= > ite-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; te= > xt-align:left; margin:0px; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFon= > tService,Calibri,Helvetica,sans-serif; font-size:12pt"> > so that doesn't seem a good place. Sir Dice seems to be a common answerer o= > f questions; I would have sent it to him/her </div> > <div class=3D"" style=3D"font-style:normal; font-variant-caps:normal; font-= > weight:400; letter-spacing:normal; text-indent:0px; text-transform:none; wh= > ite-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; te= > xt-align:left; margin:0px; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFon= > tService,Calibri,Helvetica,sans-serif; font-size:12pt"> > if I could...</div> > <div class=3D"" style=3D"font-style:normal; font-variant-caps:normal; font-= > weight:400; letter-spacing:normal; text-indent:0px; text-transform:none; wh= > ite-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; te= > xt-align:left; margin:0px; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFon= > tService,Calibri,Helvetica,sans-serif; font-size:12pt"> > <br class=3D""> > </div> > <div class=3D"" style=3D"font-style:normal; font-variant-caps:normal; font-= > weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > I'm not a user of GIT, so I'm not sure how to submit a "GIT formatted = > patch"...</div> > <div class=3D"" style=3D"font-style:normal; font-variant-caps:normal; font-= > weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > I've simply diff -rdpNU 5 a copy of the @old folder with a copy of @new fol= > der. The code was written against FreeBSD-14.1-RELEASE-amd64,</div> > <div class=3D"" style=3D"font-style:normal; font-variant-caps:normal; font-= > weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > but I suspect the kernel code in the networking core doesn't change much fr= > om platform to platform, or version to version.</div> > <div class=3D"" style=3D"font-style:normal; font-variant-caps:normal; font-= > weight:400; letter-spacing:normal; text-indent:0px; text-transform:none; wh= > ite-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; te= > xt-align:left; margin:0px; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFon= > tService,Calibri,Helvetica,sans-serif; font-size:12pt"> > <br class=3D""> > </div> > <div class=3D"" style=3D"font-style:normal; font-variant-caps:normal; font-= > weight:400; letter-spacing:normal; text-indent:0px; text-transform:none; wh= > ite-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; te= > xt-align:left; margin:0px; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFon= > tService,Calibri,Helvetica,sans-serif; font-size:12pt"> > But it works, it's pretty simple, pretty small and so just in case it might= > be useful, I'm passing it along.</div> > <div class=3D"" style=3D"font-style:normal; font-variant-caps:normal; font-= > weight:400; letter-spacing:normal; text-indent:0px; text-transform:none; wh= > ite-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; te= > xt-align:left; margin:0px; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFon= > tService,Calibri,Helvetica,sans-serif; font-size:12pt"> > <br class=3D""> > </div> > <div class=3D"" style=3D"font-style:normal; font-variant-caps:normal; font-= > weight:400; letter-spacing:normal; text-indent:0px; text-transform:none; wh= > ite-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; te= > xt-align:left; margin:0px; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFon= > tService,Calibri,Helvetica,sans-serif; font-size:12pt"> > thanks!</div> > <div class=3D"" style=3D"font-style:normal; font-variant-caps:normal; font-= > weight:400; letter-spacing:normal; text-indent:0px; text-transform:none; wh= > ite-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; te= > xt-align:left; margin:0px; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFon= > tService,Calibri,Helvetica,sans-serif; font-size:12pt"> > <br class=3D""> > </div> > <div class=3D"" style=3D"font-style:normal; font-variant-caps:normal; font-= > weight:400; letter-spacing:normal; text-indent:0px; text-transform:none; wh= > ite-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; te= > xt-align:left; margin:0px; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFon= > tService,Calibri,Helvetica,sans-serif; font-size:12pt"> > <br class=3D""> > </div> > <div class=3D"" style=3D"font-style:normal; font-variant-caps:normal; font-= > weight:400; letter-spacing:normal; text-indent:0px; text-transform:none; wh= > ite-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; te= > xt-align:left; margin:0px; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFon= > tService,Calibri,Helvetica,sans-serif; font-size:12pt"> > Robert</div> > <div class=3D"" style=3D"font-style:normal; font-variant-caps:normal; font-= > weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > <br class=3D""> > </div> > <div class=3D"" style=3D"font-style:normal; font-variant-caps:normal; font-= > weight:400; letter-spacing:normal; text-indent:0px; text-transform:none; wh= > ite-space:normal; word-spacing:0px; text-decoration:none; direction:ltr; te= > xt-align:left; margin:0px; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFon= > tService,Calibri,Helvetica,sans-serif; font-size:12pt"> > <br class=3D""> > </div> > <div class=3D"" style=3D"font-style:normal; font-variant-caps:normal; font-= > weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > <br class=3D""> > </div> > <div class=3D"" style=3D"font-style:normal; font-variant-caps:normal; font-= > weight:400; letter-spacing:normal; text-align:start; text-indent:0px; text-= > transform:none; white-space:normal; word-spacing:0px; text-decoration:none;= > direction:ltr; font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Ca= > libri,Helvetica,sans-serif; font-size:12pt"> > <br class=3D""> > </div> > <span id=3D"x_x_cid:EF978BA5-1323-4E87-B14E-03A449683C8A" class=3D""><Fr= > eeBSD-14.1-RELEASE-amd64-pfil_default_to_drop.patch.zip></span></div> > </blockquote> > </div> > </div> > </div> > </div> > </blockquote> > </div> > <br class=3D""> > <div class=3D""> > <div><br class=3D""> > </div> > </div> > <br class=3D""> > </div> > </div> > </body> > </html> > > --_000_QB1PPF4C719E46AFADEAB65EB14D2627AABEFB42QB1PPF4C719E46A_--
