From nobody Sat Jun 05 19:06:13 2021
X-Original-To: pf@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 3CD231609DC6
	for <pf@mlmmj.nyi.freebsd.org>; Sat,  5 Jun 2021 19:06:14 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Fy8HV1Bfrz3p9r
	for <pf@FreeBSD.org>; Sat,  5 Jun 2021 19:06:14 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 11ADF159D6
	for <pf@FreeBSD.org>; Sat,  5 Jun 2021 19:06:14 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
	by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 155J6EAZ031554
	for <pf@FreeBSD.org>; Sat, 5 Jun 2021 19:06:14 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
	by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 155J6Eu9031552
	for pf@FreeBSD.org; Sat, 5 Jun 2021 19:06:14 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: pf@FreeBSD.org
Subject: [Bug 256410] pf: Add pf_default_rules option
Date: Sat, 05 Jun 2021 19:06:13 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: misc
X-Bugzilla-Version: Unspecified
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: 000.fbsd@quip.cz
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: pf@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: cc
Message-ID: <bug-256410-16861-qVIJoMbXa6@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-256410-16861@https.bugs.freebsd.org/bugzilla/>
References: <bug-256410-16861@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
List-Id: Technical discussion and general questions about packet filter (pf) <freebsd-pf.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-pf
List-Help: <mailto:pf+help@freebsd.org>
List-Post: <mailto:pf@freebsd.org>
List-Subscribe: <mailto:pf+subscribe@freebsd.org>
List-Unsubscribe: <mailto:pf+unsubscribe@freebsd.org>
Sender: owner-freebsd-pf@freebsd.org
X-BeenThere: freebsd-pf@freebsd.org
MIME-Version: 1.0
X-ThisMailContainsUnwantedMimeParts: N

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D256410

Miroslav Lachman <000.fbsd@quip.cz> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |000.fbsd@quip.cz

--- Comment #5 from Miroslav Lachman <000.fbsd@quip.cz> ---
Wouldn't it be better to use pf_check() befor loading ruleset in pf_start()=
 and
then decide if "default" ruleset should be loaded?
Many rc script do check for syntax errors in config files before loading /
running the daemon (Apache, Lighttpd, Nginx...)

If will be useful to run this check before service pf start / reload / rest=
art
commands in general.

Ad if there can be any default rule(s) to load if something failed then it =
will
be good to have some option to load rules from file not just the one line f=
rom
variable too.
On some remote boxes it is better to left SSH (or somethng else) open if
loading of rules failed than block everything.

Something like this comes to my mind:
if check of pf.conf failed
check if /etc/pf.conf.default is a file & try to load it
if pf.conf.default does not exist, use one line rule from pf_default_rules
variable

Of course pf.conf.default can be named differently, or can by
/etc/defaults/pf.conf etc.

--=20
You are receiving this mail because:
You are the assignee for the bug.=