On Tue, Nov 15, 2005 at 07:22:56PM -0000, mike scott wrote:
> Not currently an issue, as ipf is statically linked into my kernel, and
> set to block by default. I believe that's pretty well bomb-proof. I'm
> not even sure, come to think of it, that /pf/ can be statically linked
> into the freebsd kernel; I know that's not a pf issue particularly, but
> is still another nail in the coffin, so to speak, from my perspective.
Apply the patch below and recompile your kernel with
option I_AM_A_BUTTON_PUSHING_FOOL
Yes, IPv6 support is included even though I suspect you're compiling a
custom kernel with that disabled.
Index: pf.c
===================================================================
RCS file: /cvs/src/sys/net/pf.c,v
retrieving revision 1.508
diff -u -r1.508 pf.c
--- pf.c 14 Nov 2005 09:18:55 -0000 1.508
+++ pf.c 16 Nov 2005 05:44:07 -0000
@@ -5748,8 +5748,13 @@
struct pf_pdesc pd;
int off, dirndx, pqid = 0;
- if (!pf_status.running)
+ if (!pf_status.running) {
+#ifdef I_AM_A_BUTTON_PUSHING_FOOL
+ return (PF_DROP);
+#else
return (PF_PASS);
+#endif /* I_AM_A_BUTTON_PUSHING_FOOL */
+ }
memset(&pd, 0, sizeof(pd));
if ((pd.pf_mtag = pf_get_mtag(m)) == NULL) {
@@ -5849,7 +5854,11 @@
r = s->rule.ptr;
a = s->anchor.ptr;
log = s->log;
- } else if (s == NULL)
+ } else if (s == NULL
+#ifdef I_AM_A_BUTTON_PUSHING_FOOL
+ &&
TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr) != NULL
+#endif /* I_AM_A_BUTTON_PUSHING_FOOL */
+ )
action = pf_test_tcp(&r, &s, dir, kif,
m, off, h, &pd, &a, &ruleset, &ipintrq);
break;
@@ -5885,7 +5894,11 @@
r = s->rule.ptr;
a = s->anchor.ptr;
log = s->log;
- } else if (s == NULL)
+ } else if (s == NULL
+#ifdef I_AM_A_BUTTON_PUSHING_FOOL
+ &&
TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr) != NULL
+#endif /* I_AM_A_BUTTON_PUSHING_FOOL */
+ )
action = pf_test_udp(&r, &s, dir, kif,
m, off, h, &pd, &a, &ruleset, &ipintrq);
break;
@@ -5915,7 +5928,11 @@
r = s->rule.ptr;
a = s->anchor.ptr;
log = s->log;
- } else if (s == NULL)
+ } else if (s == NULL
+#ifdef I_AM_A_BUTTON_PUSHING_FOOL
+ &&
TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr) != NULL
+#endif /* I_AM_A_BUTTON_PUSHING_FOOL */
+ )
action = pf_test_icmp(&r, &s, dir, kif,
m, off, h, &pd, &a, &ruleset, &ipintrq);
break;
@@ -5930,7 +5947,11 @@
r = s->rule.ptr;
a = s->anchor.ptr;
log = s->log;
- } else if (s == NULL)
+ } else if (s == NULL
+#ifdef I_AM_A_BUTTON_PUSHING_FOOL
+ &&
TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr) != NULL
+#endif /* I_AM_A_BUTTON_PUSHING_FOOL */
+ )
action = pf_test_other(&r, &s, dir, kif, m, off, h,
&pd, &a, &ruleset, &ipintrq);
break;
@@ -6077,8 +6098,13 @@
struct pf_pdesc pd;
int off, terminal = 0, dirndx;
- if (!pf_status.running)
+ if (!pf_status.running) {
+#ifdef I_AM_A_BUTTON_PUSHING_FOOL
+ return (PF_DROP);
+#else
return (PF_PASS);
+#endif /* I_AM_A_BUTTON_PUSHING_FOOL */
+ }
memset(&pd, 0, sizeof(pd));
if ((pd.pf_mtag = pf_get_mtag(m)) == NULL) {
@@ -6200,7 +6226,11 @@
r = s->rule.ptr;
a = s->anchor.ptr;
log = s->log;
- } else if (s == NULL)
+ } else if (s == NULL
+#ifdef I_AM_A_BUTTON_PUSHING_FOOL
+ &&
TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr) != NULL
+#endif /* I_AM_A_BUTTON_PUSHING_FOOL */
+ )
action = pf_test_tcp(&r, &s, dir, kif,
m, off, h, &pd, &a, &ruleset, &ip6intrq);
break;
@@ -6237,7 +6267,11 @@
r = s->rule.ptr;
a = s->anchor.ptr;
log = s->log;
- } else if (s == NULL)
+ } else if (s == NULL
+#ifdef I_AM_A_BUTTON_PUSHING_FOOL
+ &&
TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr) != NULL
+#endif /* I_AM_A_BUTTON_PUSHING_FOOL */
+ )
action = pf_test_udp(&r, &s, dir, kif,
m, off, h, &pd, &a, &ruleset, &ip6intrq);
break;
@@ -6268,7 +6302,11 @@
r = s->rule.ptr;
a = s->anchor.ptr;
log = s->log;
- } else if (s == NULL)
+ } else if (s == NULL
+#ifdef I_AM_A_BUTTON_PUSHING_FOOL
+ &&
TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr) != NULL
+#endif /* I_AM_A_BUTTON_PUSHING_FOOL */
+ )
action = pf_test_icmp(&r, &s, dir, kif,
m, off, h, &pd, &a, &ruleset, &ip6intrq);
break;
@@ -6283,7 +6321,11 @@
r = s->rule.ptr;
a = s->anchor.ptr;
log = s->log;
- } else if (s == NULL)
+ } else if (s == NULL
+#ifdef I_AM_A_BUTTON_PUSHING_FOOL
+ &&
TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr) != NULL
+#endif /* I_AM_A_BUTTON_PUSHING_FOOL */
+ )
action = pf_test_other(&r, &s, dir, kif, m, off, h,
&pd, &a, &ruleset, &ip6intrq);
break;
