summaryrefslogtreecommitdiffstats
path: root/sys/netinet
diff options
context:
space:
mode:
authorpeter <peter@FreeBSD.org>1997-09-10 03:07:14 +0000
committerpeter <peter@FreeBSD.org>1997-09-10 03:07:14 +0000
commit85d28c393b5b832b050e4fc51e0c113811252b1e (patch)
treefe137a24465391d0983dbe16ca9c30a1139d52e6 /sys/netinet
parent74b863965ccdf828063a0b0413c9ee2c9bac138a (diff)
downloadFreeBSD-src-85d28c393b5b832b050e4fc51e0c113811252b1e.zip
FreeBSD-src-85d28c393b5b832b050e4fc51e0c113811252b1e.tar.gz
Allow a compile-time override of the ipfw deny rule. For a 'firewall'
you don't want this (and the documentation explains why), but if you use ipfw as an as-needed casual filter as needed which normally runs as 'allow all' then having the kernel and /sbin/ipfw get out of sync is a *MAJOR* pain in the behind. PR: 4141 Submitted by: Heikki Suonsivu <hsu@mail.clinet.fi>
Diffstat (limited to 'sys/netinet')
-rw-r--r--sys/netinet/ip_fw.c24
1 files changed, 16 insertions, 8 deletions
diff --git a/sys/netinet/ip_fw.c b/sys/netinet/ip_fw.c
index 22d2200..6f76bde 100644
--- a/sys/netinet/ip_fw.c
+++ b/sys/netinet/ip_fw.c
@@ -12,7 +12,7 @@
*
* This software is provided ``AS IS'' without any warranties of any kind.
*
- * $Id: ip_fw.c,v 1.61 1997/08/06 00:19:05 alex Exp $
+ * $Id: ip_fw.c,v 1.62 1997/08/23 14:28:22 alex Exp $
*/
/*
@@ -936,18 +936,23 @@ ip_fw_ctl(int stage, struct mbuf **mm)
void
ip_fw_init(void)
{
- struct ip_fw deny;
+ struct ip_fw default_rule;
ip_fw_chk_ptr = ip_fw_chk;
ip_fw_ctl_ptr = ip_fw_ctl;
LIST_INIT(&ip_fw_chain);
- bzero(&deny, sizeof deny);
- deny.fw_prot = IPPROTO_IP;
- deny.fw_number = (u_short)-1;
- deny.fw_flg |= IP_FW_F_DENY;
- deny.fw_flg |= IP_FW_F_IN | IP_FW_F_OUT;
- if (check_ipfw_struct(&deny) == NULL || add_entry(&ip_fw_chain, &deny))
+ bzero(&default_rule, sizeof default_rule);
+ default_rule.fw_prot = IPPROTO_IP;
+ default_rule.fw_number = (u_short)-1;
+#ifdef IPFIREWALL_DEFAULT_TO_ACCEPT
+ default_rule.fw_flg |= IP_FW_F_ACCEPT;
+#else
+ default_rule.fw_flg |= IP_FW_F_DENY;
+#endif
+ default_rule.fw_flg |= IP_FW_F_IN | IP_FW_F_OUT;
+ if (check_ipfw_struct(&default_rule) == NULL ||
+ add_entry(&ip_fw_chain, &default_rule))
panic(__FUNCTION__);
printf("IP packet filtering initialized, "
@@ -956,6 +961,9 @@ ip_fw_init(void)
#else
"divert disabled, ");
#endif
+#ifdef IPFIREWALL_DEFAULT_TO_ACCEPT
+ printf("default to accept, ");
+#endif
#ifndef IPFIREWALL_VERBOSE
printf("logging disabled\n");
#else
OpenPOWER on IntegriCloud