ipfilter: Disable ipfs(8) by default

At the moment ipfs(8) is a tool that can be easily abused. Though the
concept is sound the implementation needs some work.

ipfs(8) should be considered experimental at the moment.

This commit also makes ipfs support in the kernel optional.

Reviewed by:		emaste, glebius
MFC after:		1 week
Differential revision:	https://reviews.freebsd.org/D53787
This commit is contained in:
Cy Schubert
2025-11-15 23:39:19 -08:00
parent d9788eabff
commit 0ff0c19e7f
8 changed files with 28 additions and 2 deletions
+6 -1
View File
@@ -1,5 +1,10 @@
.include <src.opts.mk>
SUBDIR= libipf .WAIT
SUBDIR+= ipf ipfs ipfstat ipmon ipnat ippool
SUBDIR+= ipf ipfstat ipmon ipnat ippool
.if ${MK_IPFILTER_IPFS} != "no"
SUBDIR+= ipfs
.endif
# XXX Temporarily disconnected.
# SUBDIR+= ipftest ipresend ipsend
SUBDIR_PARALLEL=
+1
View File
@@ -209,6 +209,7 @@ __DEFAULT_NO_OPTIONS = \
DTRACE_TESTS \
EXPERIMENTAL \
HESIOD \
IPFILTER_IPFS \
LOADER_VERBOSE \
LOADER_VERIEXEC_PASS_MANIFEST \
LLVM_FULL_DEBUGINFO \
+1
View File
@@ -1046,6 +1046,7 @@ options IPFILTER #ipfilter support
options IPFILTER_LOG #ipfilter logging
options IPFILTER_LOOKUP #ipfilter pools
options IPFILTER_DEFAULT_BLOCK #block all packets by default
options IPFILTER_IPFS #enable experimental ipfs(8) support
options IPSTEALTH #support for stealth forwarding
options PF_DEFAULT_TO_DROP #drop everything by default
options TCP_BLACKBOX
+1
View File
@@ -449,6 +449,7 @@ IPFILTER opt_ipfilter.h
IPFILTER_DEFAULT_BLOCK opt_ipfilter.h
IPFILTER_LOG opt_ipfilter.h
IPFILTER_LOOKUP opt_ipfilter.h
IPFILTER_IPFS opt_ipfilter.h
IPFIREWALL opt_ipfw.h
IPFIREWALL_DEFAULT_TO_ACCEPT opt_ipfw.h
IPFIREWALL_NAT opt_ipfw.h
+7
View File
@@ -1,3 +1,5 @@
.include <src.opts.mk>
.PATH: ${SRCTOP}/sys/netpfil/ipfilter/netinet
KMOD= ipl
@@ -9,6 +11,11 @@ SRCS+= opt_bpf.h opt_inet6.h opt_kern_tls.h
CFLAGS+= -I${SRCTOP}/sys/netpfil/ipfilter
CFLAGS+= -DIPFILTER=1 -DIPFILTER_LKM -DIPFILTER_LOG -DIPFILTER_LOOKUP
.if ${MK_IPFILTER_IPFS} != "no"
CFLAGS+= -DIPFILTER_IPFS
.endif
#
# If you don't want log functionality remove -DIPFILTER_LOG
#
+4 -1
View File
@@ -1337,6 +1337,7 @@ ipf_nat_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd,
error = ipf_proxy_ioctl(softc, data, cmd, mode, ctx);
break;
#ifdef IPFILTER_IPFS
case SIOCSTLCK :
if (!(mode & FWRITE)) {
IPFERROR(60015);
@@ -1372,6 +1373,7 @@ ipf_nat_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd,
error = EACCES;
}
break;
#endif /* IPFILTER_IPFS */
case SIOCGENITER :
{
@@ -1679,7 +1681,7 @@ ipf_nat_siocdelnat(ipf_main_softc_t *softc, ipf_nat_softc_t *softn, ipnat_t *n,
}
}
#ifdef IPFILTER_IPFS
/* ------------------------------------------------------------------------ */
/* Function: ipf_nat_getsz */
/* Returns: int - 0 == success, != 0 is the error value. */
@@ -2247,6 +2249,7 @@ ipf_nat_putent(ipf_main_softc_t *softc, caddr_t data, int getlock)
}
return (error);
}
#endif /* IPFILTER_IPFS */
/* ------------------------------------------------------------------------ */
+4
View File
@@ -709,6 +709,7 @@ ipf_state_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd,
IPFOBJ_STATESTAT);
break;
#ifdef IPFILTER_IPFS
/*
* Lock/Unlock the state table. (Locking prevents any changes, which
* means no packets match).
@@ -745,6 +746,7 @@ ipf_state_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd,
}
error = ipf_state_getent(softc, softs, data);
break;
#endif /* IPFILTER_IPFS */
case SIOCGENITER :
{
@@ -801,6 +803,7 @@ ipf_state_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd,
}
#ifdef IPFILTER_IPFS
/* ------------------------------------------------------------------------ */
/* Function: ipf_state_getent */
/* Returns: int - 0 == success, != 0 == failure */
@@ -1005,6 +1008,7 @@ ipf_state_putent(ipf_main_softc_t *softc, ipf_state_softc_t *softs,
return (error);
}
#endif /* IPFILTER_IPFS */
/* ------------------------------------------------------------------------ */
+4
View File
@@ -2627,6 +2627,10 @@ OLD_FILES+=usr/share/man/man8/ipnat.8.gz
OLD_FILES+=usr/share/man/man8/ippool.8.gz
.endif
.if ${MK_IPFILTER_IPFS} == no
OLD_FILES+=sbin/ipfs
.endif
.if ${MK_IPFW} == no
OLD_FILES+=etc/rc.d/ipfw
OLD_FILES+=etc/rc.d/natd