The branch stable/15 has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=91de9b501aa7d8f108b596bc52583dbafac1d262
commit 91de9b501aa7d8f108b596bc52583dbafac1d262 Author: Cy Schubert <[email protected]> AuthorDate: 2025-11-16 07:39:19 +0000 Commit: Cy Schubert <[email protected]> CommitDate: 2026-01-05 20:00:01 +0000 ipfilter: Disable ipfs(8) by default At the moment ipfs(8) is a tool that can be easily abused. Though the concept is sound the implementation needs some work. ipfs(8) should be considered experimental at the moment. This commit also makes ipfs support in the kernel optional. Reviewed by: emaste, glebius MFC after: 1 week Differential revision: https://reviews.freebsd.org/D53787 (cherry picked from commit 0ff0c19e7f70bc4d3f98196a8ad43de635cf13e5) --- sbin/ipf/Makefile | 7 ++++++- share/mk/src.opts.mk | 1 + sys/conf/NOTES | 1 + sys/conf/options | 1 + sys/modules/ipfilter/Makefile | 7 +++++++ sys/netpfil/ipfilter/netinet/ip_nat.c | 5 ++++- sys/netpfil/ipfilter/netinet/ip_state.c | 4 ++++ tools/build/mk/OptionalObsoleteFiles.inc | 4 ++++ 8 files changed, 28 insertions(+), 2 deletions(-) diff --git a/sbin/ipf/Makefile b/sbin/ipf/Makefile index 1b0a18d3d9c3..b64b09584b48 100644 --- a/sbin/ipf/Makefile +++ b/sbin/ipf/Makefile @@ -1,5 +1,10 @@ +.include <src.opts.mk> + SUBDIR= libipf .WAIT -SUBDIR+= ipf ipfs ipfstat ipmon ipnat ippool +SUBDIR+= ipf ipfstat ipmon ipnat ippool +.if ${MK_IPFILTER_IPFS} != "no" +SUBDIR+= ipfs +.endif # XXX Temporarily disconnected. # SUBDIR+= ipftest ipresend ipsend SUBDIR_PARALLEL= diff --git a/share/mk/src.opts.mk b/share/mk/src.opts.mk index 1167d7f7b812..92634425f770 100644 --- a/share/mk/src.opts.mk +++ b/share/mk/src.opts.mk @@ -208,6 +208,7 @@ __DEFAULT_NO_OPTIONS = \ DTRACE_TESTS \ EXPERIMENTAL \ HESIOD \ + IPFILTER_IPFS \ LOADER_VERBOSE \ LOADER_VERIEXEC_PASS_MANIFEST \ LLVM_ASSERTIONS \ diff --git a/sys/conf/NOTES b/sys/conf/NOTES index cdfdd09fc1a0..46787d2e690a 100644 --- a/sys/conf/NOTES +++ b/sys/conf/NOTES @@ -1045,6 +1045,7 @@ options IPFILTER #ipfilter support options IPFILTER_LOG #ipfilter logging options IPFILTER_LOOKUP #ipfilter pools options IPFILTER_DEFAULT_BLOCK #block all packets by default +options IPFILTER_IPFS #enable experimental ipfs(8) support options IPSTEALTH #support for stealth forwarding options PF_DEFAULT_TO_DROP #drop everything by default options TCP_BLACKBOX diff --git a/sys/conf/options b/sys/conf/options index b48ad1cf42cf..9e9cb6aeb6b3 100644 --- a/sys/conf/options +++ b/sys/conf/options @@ -448,6 +448,7 @@ IPFILTER opt_ipfilter.h IPFILTER_DEFAULT_BLOCK opt_ipfilter.h IPFILTER_LOG opt_ipfilter.h IPFILTER_LOOKUP opt_ipfilter.h +IPFILTER_IPFS opt_ipfilter.h IPFIREWALL opt_ipfw.h IPFIREWALL_DEFAULT_TO_ACCEPT opt_ipfw.h IPFIREWALL_NAT opt_ipfw.h diff --git a/sys/modules/ipfilter/Makefile b/sys/modules/ipfilter/Makefile index 6c5fc140f36c..969df7dfad84 100644 --- a/sys/modules/ipfilter/Makefile +++ b/sys/modules/ipfilter/Makefile @@ -1,3 +1,5 @@ +.include <src.opts.mk> + .PATH: ${SRCTOP}/sys/netpfil/ipfilter/netinet KMOD= ipl @@ -9,6 +11,11 @@ SRCS+= opt_bpf.h opt_inet6.h opt_kern_tls.h CFLAGS+= -I${SRCTOP}/sys/netpfil/ipfilter CFLAGS+= -DIPFILTER=1 -DIPFILTER_LKM -DIPFILTER_LOG -DIPFILTER_LOOKUP + +.if ${MK_IPFILTER_IPFS} != "no" +CFLAGS+= -DIPFILTER_IPFS +.endif + # # If you don't want log functionality remove -DIPFILTER_LOG # diff --git a/sys/netpfil/ipfilter/netinet/ip_nat.c b/sys/netpfil/ipfilter/netinet/ip_nat.c index d83454185609..ec5a431dc47f 100644 --- a/sys/netpfil/ipfilter/netinet/ip_nat.c +++ b/sys/netpfil/ipfilter/netinet/ip_nat.c @@ -1340,6 +1340,7 @@ ipf_nat_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd, error = ipf_proxy_ioctl(softc, data, cmd, mode, ctx); break; +#ifdef IPFILTER_IPFS case SIOCSTLCK : if (!(mode & FWRITE)) { IPFERROR(60015); @@ -1375,6 +1376,7 @@ ipf_nat_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd, error = EACCES; } break; +#endif /* IPFILTER_IPFS */ case SIOCGENITER : { @@ -1682,7 +1684,7 @@ ipf_nat_siocdelnat(ipf_main_softc_t *softc, ipf_nat_softc_t *softn, ipnat_t *n, } } - +#ifdef IPFILTER_IPFS /* ------------------------------------------------------------------------ */ /* Function: ipf_nat_getsz */ /* Returns: int - 0 == success, != 0 is the error value. */ @@ -2250,6 +2252,7 @@ junkput: } return (error); } +#endif /* IPFILTER_IPFS */ /* ------------------------------------------------------------------------ */ diff --git a/sys/netpfil/ipfilter/netinet/ip_state.c b/sys/netpfil/ipfilter/netinet/ip_state.c index 36fdf23cd062..8a21e7593995 100644 --- a/sys/netpfil/ipfilter/netinet/ip_state.c +++ b/sys/netpfil/ipfilter/netinet/ip_state.c @@ -709,6 +709,7 @@ ipf_state_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd, IPFOBJ_STATESTAT); break; +#ifdef IPFILTER_IPFS /* * Lock/Unlock the state table. (Locking prevents any changes, which * means no packets match). @@ -745,6 +746,7 @@ ipf_state_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd, } error = ipf_state_getent(softc, softs, data); break; +#endif /* IPFILTER_IPFS */ case SIOCGENITER : { @@ -801,6 +803,7 @@ ipf_state_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd, } +#ifdef IPFILTER_IPFS /* ------------------------------------------------------------------------ */ /* Function: ipf_state_getent */ /* Returns: int - 0 == success, != 0 == failure */ @@ -1005,6 +1008,7 @@ ipf_state_putent(ipf_main_softc_t *softc, ipf_state_softc_t *softs, return (error); } +#endif /* IPFILTER_IPFS */ /* ------------------------------------------------------------------------ */ diff --git a/tools/build/mk/OptionalObsoleteFiles.inc b/tools/build/mk/OptionalObsoleteFiles.inc index d7131d01ef37..a7ae52650999 100644 --- a/tools/build/mk/OptionalObsoleteFiles.inc +++ b/tools/build/mk/OptionalObsoleteFiles.inc @@ -2630,6 +2630,10 @@ OLD_FILES+=usr/share/man/man8/ipnat.8.gz OLD_FILES+=usr/share/man/man8/ippool.8.gz .endif +.if ${MK_IPFILTER_IPFS} == no +OLD_FILES+=sbin/ipfs +.endif + .if ${MK_IPFW} == no OLD_FILES+=etc/rc.d/ipfw OLD_FILES+=etc/rc.d/natd
