ipfilter: Disable ipfs(8) by default
At the moment ipfs(8) is a tool that can be easily abused. Though the concept is sound the implementation needs some work. ipfs(8) should be considered experimental at the moment. This commit also makes ipfs support in the kernel optional. Reviewed by: emaste, glebius MFC after: 1 week Differential revision: https://reviews.freebsd.org/D53787
This commit is contained in:
+6
-1
@@ -1,5 +1,10 @@
|
||||
.include <src.opts.mk>
|
||||
|
||||
SUBDIR= libipf .WAIT
|
||||
SUBDIR+= ipf ipfs ipfstat ipmon ipnat ippool
|
||||
SUBDIR+= ipf ipfstat ipmon ipnat ippool
|
||||
.if ${MK_IPFILTER_IPFS} != "no"
|
||||
SUBDIR+= ipfs
|
||||
.endif
|
||||
# XXX Temporarily disconnected.
|
||||
# SUBDIR+= ipftest ipresend ipsend
|
||||
SUBDIR_PARALLEL=
|
||||
|
||||
@@ -209,6 +209,7 @@ __DEFAULT_NO_OPTIONS = \
|
||||
DTRACE_TESTS \
|
||||
EXPERIMENTAL \
|
||||
HESIOD \
|
||||
IPFILTER_IPFS \
|
||||
LOADER_VERBOSE \
|
||||
LOADER_VERIEXEC_PASS_MANIFEST \
|
||||
LLVM_FULL_DEBUGINFO \
|
||||
|
||||
@@ -1046,6 +1046,7 @@ options IPFILTER #ipfilter support
|
||||
options IPFILTER_LOG #ipfilter logging
|
||||
options IPFILTER_LOOKUP #ipfilter pools
|
||||
options IPFILTER_DEFAULT_BLOCK #block all packets by default
|
||||
options IPFILTER_IPFS #enable experimental ipfs(8) support
|
||||
options IPSTEALTH #support for stealth forwarding
|
||||
options PF_DEFAULT_TO_DROP #drop everything by default
|
||||
options TCP_BLACKBOX
|
||||
|
||||
@@ -449,6 +449,7 @@ IPFILTER opt_ipfilter.h
|
||||
IPFILTER_DEFAULT_BLOCK opt_ipfilter.h
|
||||
IPFILTER_LOG opt_ipfilter.h
|
||||
IPFILTER_LOOKUP opt_ipfilter.h
|
||||
IPFILTER_IPFS opt_ipfilter.h
|
||||
IPFIREWALL opt_ipfw.h
|
||||
IPFIREWALL_DEFAULT_TO_ACCEPT opt_ipfw.h
|
||||
IPFIREWALL_NAT opt_ipfw.h
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
.include <src.opts.mk>
|
||||
|
||||
.PATH: ${SRCTOP}/sys/netpfil/ipfilter/netinet
|
||||
|
||||
KMOD= ipl
|
||||
@@ -9,6 +11,11 @@ SRCS+= opt_bpf.h opt_inet6.h opt_kern_tls.h
|
||||
|
||||
CFLAGS+= -I${SRCTOP}/sys/netpfil/ipfilter
|
||||
CFLAGS+= -DIPFILTER=1 -DIPFILTER_LKM -DIPFILTER_LOG -DIPFILTER_LOOKUP
|
||||
|
||||
.if ${MK_IPFILTER_IPFS} != "no"
|
||||
CFLAGS+= -DIPFILTER_IPFS
|
||||
.endif
|
||||
|
||||
#
|
||||
# If you don't want log functionality remove -DIPFILTER_LOG
|
||||
#
|
||||
|
||||
@@ -1337,6 +1337,7 @@ ipf_nat_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd,
|
||||
error = ipf_proxy_ioctl(softc, data, cmd, mode, ctx);
|
||||
break;
|
||||
|
||||
#ifdef IPFILTER_IPFS
|
||||
case SIOCSTLCK :
|
||||
if (!(mode & FWRITE)) {
|
||||
IPFERROR(60015);
|
||||
@@ -1372,6 +1373,7 @@ ipf_nat_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd,
|
||||
error = EACCES;
|
||||
}
|
||||
break;
|
||||
#endif /* IPFILTER_IPFS */
|
||||
|
||||
case SIOCGENITER :
|
||||
{
|
||||
@@ -1679,7 +1681,7 @@ ipf_nat_siocdelnat(ipf_main_softc_t *softc, ipf_nat_softc_t *softn, ipnat_t *n,
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
#ifdef IPFILTER_IPFS
|
||||
/* ------------------------------------------------------------------------ */
|
||||
/* Function: ipf_nat_getsz */
|
||||
/* Returns: int - 0 == success, != 0 is the error value. */
|
||||
@@ -2247,6 +2249,7 @@ ipf_nat_putent(ipf_main_softc_t *softc, caddr_t data, int getlock)
|
||||
}
|
||||
return (error);
|
||||
}
|
||||
#endif /* IPFILTER_IPFS */
|
||||
|
||||
|
||||
/* ------------------------------------------------------------------------ */
|
||||
|
||||
@@ -709,6 +709,7 @@ ipf_state_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd,
|
||||
IPFOBJ_STATESTAT);
|
||||
break;
|
||||
|
||||
#ifdef IPFILTER_IPFS
|
||||
/*
|
||||
* Lock/Unlock the state table. (Locking prevents any changes, which
|
||||
* means no packets match).
|
||||
@@ -745,6 +746,7 @@ ipf_state_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd,
|
||||
}
|
||||
error = ipf_state_getent(softc, softs, data);
|
||||
break;
|
||||
#endif /* IPFILTER_IPFS */
|
||||
|
||||
case SIOCGENITER :
|
||||
{
|
||||
@@ -801,6 +803,7 @@ ipf_state_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd,
|
||||
}
|
||||
|
||||
|
||||
#ifdef IPFILTER_IPFS
|
||||
/* ------------------------------------------------------------------------ */
|
||||
/* Function: ipf_state_getent */
|
||||
/* Returns: int - 0 == success, != 0 == failure */
|
||||
@@ -1005,6 +1008,7 @@ ipf_state_putent(ipf_main_softc_t *softc, ipf_state_softc_t *softs,
|
||||
|
||||
return (error);
|
||||
}
|
||||
#endif /* IPFILTER_IPFS */
|
||||
|
||||
|
||||
/* ------------------------------------------------------------------------ */
|
||||
|
||||
@@ -2627,6 +2627,10 @@ OLD_FILES+=usr/share/man/man8/ipnat.8.gz
|
||||
OLD_FILES+=usr/share/man/man8/ippool.8.gz
|
||||
.endif
|
||||
|
||||
.if ${MK_IPFILTER_IPFS} == no
|
||||
OLD_FILES+=sbin/ipfs
|
||||
.endif
|
||||
|
||||
.if ${MK_IPFW} == no
|
||||
OLD_FILES+=etc/rc.d/ipfw
|
||||
OLD_FILES+=etc/rc.d/natd
|
||||
|
||||
Reference in New Issue
Block a user