211928 – [pf] /etc/rc.d/pf should REQUIRE routing

Bug 211928 - [pf] /etc/rc.d/pf should REQUIRE routing

Summary: [pf] /etc/rc.d/pf should REQUIRE routing

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	conf (show other bugs)
Version:	11.2-RELEASE
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	Mateusz Piotrowski

URL:
Keywords:	patch

Depends on:
Blocks:

Reported:	2016-08-17 09:10 UTC by Robert Schulze
Modified:	2022-07-26 15:00 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
/etc/rc.d/pf: move routing to REQUIRE (299 bytes, patch) 2016-08-17 09:10 UTC, Robert Schulze	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Schulze 2016-08-17 09:10:27 UTC

Created attachment 173767 [details]
/etc/rc.d/pf: move routing to REQUIRE

When a system with pf_enable="YES" in /etc/rc.conf uses hostnames in /etc/pf.conf, these hostnames cannot be resolved via external nameservers because the default route is not yet set. This results in an empty (all open) ruleset.

Fix: move routing from BEFORE to REQUIRE.

Since r195026 already put netif back to REQUIRE, this change does not affect the issue that the firewall should rather have been setup _before_ any network traffic can occur.

with kind regards,
Robert Schulze

Comment 1 Mateusz Kwiatkowski 2020-10-08 07:43:38 UTC

I'm ffected by this in 12.1-RELEASE-p10.

Comment 2 commit-hook freebsd_committer

2020-10-08 11:46:04 UTC

A commit references this bug:

Author: kaktus
Date: Thu Oct  8 11:45:11 UTC 2020
New revision: 366537
URL: https://svnweb.freebsd.org/changeset/base/366537

Log:
  [pf] /etc/rc.d/pf should REQUIRE routing

  When a system with pf_enable="YES" in /etc/rc.conf uses hostnames in
  /etc/pf.conf, these hostnames cannot be resolved via external nameservers
  because the default route is not yet set. This results in an empty
  (all open) ruleset.

  Since r195026 already put netif back to REQUIRE, this change does not affect
  the issue that the firewall should rather have been setup before any
  network traffic can occur.

  PR:		211928
  Submitted by:	Robert Schulze
  Reported by:	Robert Schulze
  Tested by:	Mateusz Kwiatkowski
  No objections from:	kp
  MFC after:	3 days

Changes:
  head/libexec/rc/rc.d/pf

Comment 3 Mateusz Piotrowski freebsd_committer

2022-07-26 14:51:07 UTC

Still not merged into 12-STABLE. I'll try to get it merged.

Comment 4 commit-hook freebsd_committer

2022-07-26 15:00:31 UTC

A commit in branch stable/12 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=ca80dd4ed3845c0d783e772bf906911b4c23fdc3

commit ca80dd4ed3845c0d783e772bf906911b4c23fdc3
Author:     Pawel Biernacki <kaktus@FreeBSD.org>
AuthorDate: 2020-10-08 11:45:10 +0000
Commit:     Mateusz Piotrowski <0mp@FreeBSD.org>
CommitDate: 2022-07-26 14:58:47 +0000

    [pf] /etc/rc.d/pf should REQUIRE routing

    When a system with pf_enable="YES" in /etc/rc.conf uses hostnames in
    /etc/pf.conf, these hostnames cannot be resolved via external nameservers
    because the default route is not yet set. This results in an empty
    (all open) ruleset.

    Since r195026 already put netif back to REQUIRE, this change does not affect
    the issue that the firewall should rather have been setup before any
    network traffic can occur.

    PR:             211928
    Submitted by:   Robert Schulze
    Reported by:    Robert Schulze
    Tested by:      Mateusz Kwiatkowski
    No objections from:     kp
    MFC after:      3 days

    (cherry picked from commit 9ef917591248e35efea846d0d743b74503387099)

    Approved by:    kp

 libexec/rc/rc.d/pf | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

Comment 5 Mateusz Piotrowski freebsd_committer

2022-07-26 15:00:50 UTC

Merged, thanks!