diff options
author | peter <peter@FreeBSD.org> | 1997-09-10 03:07:14 +0000 |
---|---|---|
committer | peter <peter@FreeBSD.org> | 1997-09-10 03:07:14 +0000 |
commit | 85d28c393b5b832b050e4fc51e0c113811252b1e (patch) | |
tree | fe137a24465391d0983dbe16ca9c30a1139d52e6 /sys/netinet/ip_fw.c | |
parent | 74b863965ccdf828063a0b0413c9ee2c9bac138a (diff) | |
download | FreeBSD-src-85d28c393b5b832b050e4fc51e0c113811252b1e.zip FreeBSD-src-85d28c393b5b832b050e4fc51e0c113811252b1e.tar.gz |
Allow a compile-time override of the ipfw deny rule. For a 'firewall'
you don't want this (and the documentation explains why), but if you
use ipfw as an as-needed casual filter as needed which normally runs as
'allow all' then having the kernel and /sbin/ipfw get out of sync is a
*MAJOR* pain in the behind.
PR: 4141
Submitted by: Heikki Suonsivu <hsu@mail.clinet.fi>
Diffstat (limited to 'sys/netinet/ip_fw.c')
-rw-r--r-- | sys/netinet/ip_fw.c | 24 |
1 files changed, 16 insertions, 8 deletions
diff --git a/sys/netinet/ip_fw.c b/sys/netinet/ip_fw.c index 22d2200..6f76bde 100644 --- a/sys/netinet/ip_fw.c +++ b/sys/netinet/ip_fw.c @@ -12,7 +12,7 @@ * * This software is provided ``AS IS'' without any warranties of any kind. * - * $Id: ip_fw.c,v 1.61 1997/08/06 00:19:05 alex Exp $ + * $Id: ip_fw.c,v 1.62 1997/08/23 14:28:22 alex Exp $ */ /* @@ -936,18 +936,23 @@ ip_fw_ctl(int stage, struct mbuf **mm) void ip_fw_init(void) { - struct ip_fw deny; + struct ip_fw default_rule; ip_fw_chk_ptr = ip_fw_chk; ip_fw_ctl_ptr = ip_fw_ctl; LIST_INIT(&ip_fw_chain); - bzero(&deny, sizeof deny); - deny.fw_prot = IPPROTO_IP; - deny.fw_number = (u_short)-1; - deny.fw_flg |= IP_FW_F_DENY; - deny.fw_flg |= IP_FW_F_IN | IP_FW_F_OUT; - if (check_ipfw_struct(&deny) == NULL || add_entry(&ip_fw_chain, &deny)) + bzero(&default_rule, sizeof default_rule); + default_rule.fw_prot = IPPROTO_IP; + default_rule.fw_number = (u_short)-1; +#ifdef IPFIREWALL_DEFAULT_TO_ACCEPT + default_rule.fw_flg |= IP_FW_F_ACCEPT; +#else + default_rule.fw_flg |= IP_FW_F_DENY; +#endif + default_rule.fw_flg |= IP_FW_F_IN | IP_FW_F_OUT; + if (check_ipfw_struct(&default_rule) == NULL || + add_entry(&ip_fw_chain, &default_rule)) panic(__FUNCTION__); printf("IP packet filtering initialized, " @@ -956,6 +961,9 @@ ip_fw_init(void) #else "divert disabled, "); #endif +#ifdef IPFIREWALL_DEFAULT_TO_ACCEPT + printf("default to accept, "); +#endif #ifndef IPFIREWALL_VERBOSE printf("logging disabled\n"); #else |