summaryrefslogtreecommitdiffstats
path: root/sys/netpfil
diff options
context:
space:
mode:
authorglebius <glebius@FreeBSD.org>2012-09-18 11:07:19 +0000
committerglebius <glebius@FreeBSD.org>2012-09-18 11:07:19 +0000
commitdf8f63316940a8bb3f78ae2c2ab1aafc1a690204 (patch)
tree850ca5ee6c126d9d8eeb9a52cd2a3ea035c7201e /sys/netpfil
parentc3ead4d7df91f96b5c4796a2d0742c691e9bf5cb (diff)
downloadFreeBSD-src-df8f63316940a8bb3f78ae2c2ab1aafc1a690204.zip
FreeBSD-src-df8f63316940a8bb3f78ae2c2ab1aafc1a690204.tar.gz
Provide kernel compile time option to make pf(4) default rule to drop.
This is important to secure a small timeframe at boot time, when network is already configured, but pf(4) is not yet. PR: kern/171622 Submitted by: Olivier Cochard-LabbИ <olivier cochard.me>
Diffstat (limited to 'sys/netpfil')
-rw-r--r--sys/netpfil/pf/pf_ioctl.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index d2d580d..b97766c 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -216,7 +216,11 @@ pfattach(void)
/* default rule should never be garbage collected */
V_pf_default_rule.entries.tqe_prev = &V_pf_default_rule.entries.tqe_next;
+#ifdef PF_DEFAULT_TO_DROP
+ V_pf_default_rule.action = PF_DROP;
+#else
V_pf_default_rule.action = PF_PASS;
+#endif
V_pf_default_rule.nr = -1;
V_pf_default_rule.rtableid = -1;
OpenPOWER on IntegriCloud