Hello, Attached are 3 patches to -current for your consideration. Apply with:
cd /usr/src patch -p1 ... The first, expose-default-pf-rules.patch, lets the sysadm use the rc(8) constructed default pf ruleset. This ability was, in a sense, compromised when 5.8 eliminated the pf_rules variable from rc.conf(8). The acceptance of this patch depends in part on whether or not the default pf ruleset in rc(8) is something you want to make readily accessible or whether it's just there as a stopgap. The supplied patch allows the rc.conf(8) pf variable to be set to MINIMAL (in addition to the current YES and NO). A setting of MINIMAL loads the rc(8) default pf ruleset and enables pf. MINIMAL means that rc(8) does not load /etc/pf.conf. Any loading of /etc/pf.conf is left to the sysadm. Why would anyone want such control? Loading /etc/pf.conf after the daemons have started allows pf.conf to contain (in many cases) names instead of IP numbers, simplifying administration. The host is configured as a slave DNS server (serving only on 127.0.0.1) for locally administered zones. So the host always has more or less up to date copies of the zones available locally without need of network connection. pf.conf can then make use of DNS names in the local zones if loaded after the DNS slave is started. Circumstances depending, this can be easier to administer and less error prone than other methods of copying IP addresses from DNS into pf.conf. Other use-cases come to mind. Enabling pf, using the rc(8) fallback pf ruleset, and delaying the load of /etc/pf.conf until after the completion of boot could allow the sysadm to perform final checks or give a final authorization before the host is made fully available on the network. It could be useful for failure testing, testing what happens when the system is booted with broken /etc/pf.conf content. It provides a dirt simple ssh-only mode. In short the feature does not seem crazy and seems useful. Prior to 5.8 access to the rc(8) default rules was "provided" by the rc.conf(8) pf_rules variable. In rc.conf.local the sysadm could set pf_rules=/etc/pf.conf.boot, and have bad content in pf.conf.boot so that pfctl retains the rc(8) default rules. Then, in /etc/rc.local or otherwise, load /etc/pf.conf. Given the present system I can't think of a clean way to both enable pf early in the boot sequence and avoid manually duplicating the default pf ruleset in rc(8). You could resort to keeping a set of minimal boot-time rules in an anchor in /etc/pf.conf, and then swap out the contents of the anchor when ready. A minor problem is that you have the complication of messing with anchors and having an extra file with your real "runtime" pf rules instead of putting them in /etc/pf.conf. The real problem is that you have to come up with your own set of minimal rules that will let the network configure and the system boot but no more. Alternately, you could put unloadable content in /etc/pf.conf, and keep your real pf rules in, say, /etc/pf.conf.runtime. Because the load of /etc/pf.conf would fail you'd retain the rc(8) default pf rules until you loaded /etc/pf.conf.runtime. But this approach is butt-ugly. The 2nd patch, rc-RULES-doc.patch, documents the default pf ruleset in the rc(8) man page. The documentation in both patches was influenced by the wording of the 2nd paragraph in the DESCRIPTION section of the pfctl(8) man page. The 3rd patch, rc-RULES-doc-fix.patch, eliminates the mention of the RULES variable in rc(8) from the man pages. Note: I did my best with the roff. Where I didn't know what I was doing I tried to find a man page that did something similar and copied that. However I'm no roff expert and may have made mistakes. The generated output looks good to me. Please consider these patches and provide feedback if you'd like something changed. Thank you. Karl <[email protected]> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein [demime 1.01d removed an attachment of type text/x-patch] [demime 1.01d removed an attachment of type text/x-patch] [demime 1.01d removed an attachment of type text/x-patch]
