From df8f63316940a8bb3f78ae2c2ab1aafc1a690204 Mon Sep 17 00:00:00 2001 From: glebius Date: Tue, 18 Sep 2012 11:07:19 +0000 Subject: Provide kernel compile time option to make pf(4) default rule to drop. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is important to secure a small timeframe at boot time, when network is already configured, but pf(4) is not yet. PR: kern/171622 Submitted by: Olivier Cochard-LabbИ --- sys/netpfil/pf/pf_ioctl.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'sys/netpfil/pf') diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index d2d580d..b97766c 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -216,7 +216,11 @@ pfattach(void) /* default rule should never be garbage collected */ V_pf_default_rule.entries.tqe_prev = &V_pf_default_rule.entries.tqe_next; +#ifdef PF_DEFAULT_TO_DROP + V_pf_default_rule.action = PF_DROP; +#else V_pf_default_rule.action = PF_PASS; +#endif V_pf_default_rule.nr = -1; V_pf_default_rule.rtableid = -1; -- cgit v1.1