pf: Convert PF_DEFAULT_TO_DROP into a vnet loader tunable 'net.pf.default_to_drop'

7f7ef494f1 introduced a compile time option PF_DEFAULT_TO_DROP to make the pf(4) default rule to drop. While this change exposes a vnet loader tunable 'net.pf.default_to_drop' so that users can change the default rule without re-compiling the pf(4) module. This change is similiar to that for IPFW [1]. 1. 5f17ebf94d Convert IPFW_DEFAULT_TO_ACCEPT into a loader tunable 'net.inet.ip.fw.default_to_accept' Reviewed by: #network, kp MFC after: 2 weeks Relnotes: yes Differential Revision: https://reviews.freebsd.org/D39866 (cherry picked from commit c531c1d1462c45f7ce5de4f9913226801f3073bd)
2026-05-28 04:12:45 -04:00 · 2023-09-22 18:05:02 +08:00 · 2023-09-22 18:05:02 +08:00 · 13a8e1ab49
commit 13a8e1ab49
parent 056bef09e1
2 changed files with 15 additions and 5 deletions
--- a/share/man/man4/pf.4
+++ b/share/man/man4/pf.4
@ -87,6 +87,10 @@ Default value is 131072.
 Size of hash table that store source nodes.
 Should be power of 2.
 Default value is 32768.
+.It Va net.pf.default_to_drop
+This value overrides
+.Cd "options PF_DEFAULT_TO_DROP"
+from kernel configuration file.
 .It Va net.pf.rdr_srcport_rewrite_tries
 The maximum number of times to try and find a free source port when handling
 redirects.
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@ -199,6 +199,16 @@ SYSCTL_BOOL(_net_pf, OID_AUTO, filter_local, CTLFLAG_VNET | CTLFLAG_RW,
    &VNET_NAME(pf_filter_local), false,
    "Enable filtering for packets delivered to local network stack");

+#ifdef PF_DEFAULT_TO_DROP
+VNET_DEFINE_STATIC(bool, default_to_drop) = true;
+#else
+VNET_DEFINE_STATIC(bool, default_to_drop);
+#endif
+#define	V_default_to_drop VNET(default_to_drop)
+SYSCTL_BOOL(_net_pf, OID_AUTO, default_to_drop, CTLFLAG_RDTUN | CTLFLAG_VNET,
+    &VNET_NAME(default_to_drop), false,
+    "Make the default rule drop all packets.");
+
 static void		 pf_init_tagset(struct pf_tagset *, unsigned int *,
 			    unsigned int);
 static void		 pf_cleanup_tagset(struct pf_tagset *);
@ -335,11 +345,7 @@ pfattach_vnet(void)

 	/* default rule should never be garbage collected */
 	V_pf_default_rule.entries.tqe_prev = &V_pf_default_rule.entries.tqe_next;
-#ifdef PF_DEFAULT_TO_DROP
-	V_pf_default_rule.action = PF_DROP;
-#else
-	V_pf_default_rule.action = PF_PASS;
-#endif
+	V_pf_default_rule.action = V_default_to_drop ? PF_DROP : PF_PASS;
 	V_pf_default_rule.nr = -1;
 	V_pf_default_rule.rtableid = -1;