ipfilter: Disable ipfs(8) by default

cschuber · cschuber · commit 0ff0c19e7f70 · 2025-12-08T08:15:18.000-08:00
At the moment ipfs(8) is a tool that can be easily abused. Though the concept is sound the implementation needs some work. ipfs(8) should be considered experimental at the moment. This commit also makes ipfs support in the kernel optional. Reviewed by: emaste, glebius MFC after: 1 week Differential revision: https://reviews.freebsd.org/D53787
diff --git a/sbin/ipf/Makefile b/sbin/ipf/Makefile
@@ -1,5 +1,10 @@
+.include <src.opts.mk>
+
 SUBDIR=		libipf .WAIT
-SUBDIR+=	ipf ipfs ipfstat ipmon ipnat ippool
+SUBDIR+=	ipf ipfstat ipmon ipnat ippool
+.if ${MK_IPFILTER_IPFS} != "no"
+SUBDIR+=	ipfs
+.endif
 # XXX Temporarily disconnected.
 # SUBDIR+=	ipftest ipresend ipsend
 SUBDIR_PARALLEL=
diff --git a/share/mk/src.opts.mk b/share/mk/src.opts.mk
@@ -209,6 +209,7 @@ __DEFAULT_NO_OPTIONS = \
     DTRACE_TESTS \
     EXPERIMENTAL \
     HESIOD \
+    IPFILTER_IPFS \
     LOADER_VERBOSE \
     LOADER_VERIEXEC_PASS_MANIFEST \
     LLVM_FULL_DEBUGINFO \
diff --git a/sys/conf/NOTES b/sys/conf/NOTES
@@ -1046,6 +1046,7 @@ options 	IPFILTER		#ipfilter support
 options 	IPFILTER_LOG		#ipfilter logging
 options 	IPFILTER_LOOKUP		#ipfilter pools
 options 	IPFILTER_DEFAULT_BLOCK	#block all packets by default
+options		IPFILTER_IPFS		#enable experimental ipfs(8) support
 options 	IPSTEALTH		#support for stealth forwarding
 options 	PF_DEFAULT_TO_DROP	#drop everything by default
 options 	TCP_BLACKBOX
diff --git a/sys/conf/options b/sys/conf/options
@@ -449,6 +449,7 @@ IPFILTER		opt_ipfilter.h
 IPFILTER_DEFAULT_BLOCK	opt_ipfilter.h
 IPFILTER_LOG		opt_ipfilter.h
 IPFILTER_LOOKUP		opt_ipfilter.h
+IPFILTER_IPFS		opt_ipfilter.h
 IPFIREWALL		opt_ipfw.h
 IPFIREWALL_DEFAULT_TO_ACCEPT	opt_ipfw.h
 IPFIREWALL_NAT		opt_ipfw.h
diff --git a/sys/modules/ipfilter/Makefile b/sys/modules/ipfilter/Makefile
@@ -1,3 +1,5 @@
+.include <src.opts.mk>
+
 .PATH: ${SRCTOP}/sys/netpfil/ipfilter/netinet
 
 KMOD=	ipl
@@ -9,6 +11,11 @@ SRCS+=	opt_bpf.h opt_inet6.h opt_kern_tls.h
 
 CFLAGS+= -I${SRCTOP}/sys/netpfil/ipfilter
 CFLAGS+= -DIPFILTER=1 -DIPFILTER_LKM -DIPFILTER_LOG -DIPFILTER_LOOKUP
+
+.if ${MK_IPFILTER_IPFS} != "no"
+CFLAGS+= -DIPFILTER_IPFS
+.endif
+
 #
 # If you don't want log functionality remove -DIPFILTER_LOG
 #
diff --git a/sys/netpfil/ipfilter/netinet/ip_nat.c b/sys/netpfil/ipfilter/netinet/ip_nat.c
@@ -1337,6 +1337,7 @@ ipf_nat_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd,
 		error = ipf_proxy_ioctl(softc, data, cmd, mode, ctx);
 		break;
 
+#ifdef IPFILTER_IPFS
 	case SIOCSTLCK :
 		if (!(mode & FWRITE)) {
 			IPFERROR(60015);
@@ -1372,6 +1373,7 @@ ipf_nat_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd,
 			error = EACCES;
 		}
 		break;
+#endif /* IPFILTER_IPFS */
 
 	case SIOCGENITER :
 	    {
@@ -1679,7 +1681,7 @@ ipf_nat_siocdelnat(ipf_main_softc_t *softc, ipf_nat_softc_t *softn, ipnat_t *n,
 	}
 }
 
-
+#ifdef IPFILTER_IPFS
 /* ------------------------------------------------------------------------ */
 /* Function:    ipf_nat_getsz                                               */
 /* Returns:     int - 0 == success, != 0 is the error value.                */
@@ -2247,6 +2249,7 @@ ipf_nat_putent(ipf_main_softc_t *softc, caddr_t data, int getlock)
 	}
 	return (error);
 }
+#endif /* IPFILTER_IPFS */
 
 
 /* ------------------------------------------------------------------------ */
diff --git a/sys/netpfil/ipfilter/netinet/ip_state.c b/sys/netpfil/ipfilter/netinet/ip_state.c
@@ -709,6 +709,7 @@ ipf_state_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd,
 				   IPFOBJ_STATESTAT);
 		break;
 
+#ifdef IPFILTER_IPFS
 	/*
 	 * Lock/Unlock the state table.  (Locking prevents any changes, which
 	 * means no packets match).
@@ -745,6 +746,7 @@ ipf_state_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd,
 		}
 		error = ipf_state_getent(softc, softs, data);
 		break;
+#endif /* IPFILTER_IPFS */
 
 	case SIOCGENITER :
 	    {
@@ -801,6 +803,7 @@ ipf_state_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd,
 }
 
 
+#ifdef IPFILTER_IPFS
 /* ------------------------------------------------------------------------ */
 /* Function:    ipf_state_getent                                            */
 /* Returns:     int - 0 == success, != 0 == failure                         */
@@ -1005,6 +1008,7 @@ ipf_state_putent(ipf_main_softc_t *softc, ipf_state_softc_t *softs,
 
 	return (error);
 }
+#endif /* IPFILTER_IPFS */
 
 
 /* ------------------------------------------------------------------------ */
diff --git a/tools/build/mk/OptionalObsoleteFiles.inc b/tools/build/mk/OptionalObsoleteFiles.inc
@@ -2627,6 +2627,10 @@ OLD_FILES+=usr/share/man/man8/ipnat.8.gz
 OLD_FILES+=usr/share/man/man8/ippool.8.gz
 .endif
 
+.if ${MK_IPFILTER_IPFS} == no
+OLD_FILES+=sbin/ipfs
+.endif
+
 .if ${MK_IPFW} == no
 OLD_FILES+=etc/rc.d/ipfw
 OLD_FILES+=etc/rc.d/natd

Original file line number	Diff line number	Diff line change
`@@ -1337,6 +1337,7 @@ ipf_nat_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd,`
`1337`	`1337`	`error = ipf_proxy_ioctl(softc, data, cmd, mode, ctx);`
`1338`	`1338`	`break;`
`1339`	`1339`
	`1340`	`+#ifdef IPFILTER_IPFS`
`1340`	`1341`	`case SIOCSTLCK :`
`1341`	`1342`	`if (!(mode & FWRITE)) {`
`1342`	`1343`	`IPFERROR(60015);`
`@@ -1372,6 +1373,7 @@ ipf_nat_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd,`
`1372`	`1373`	`error = EACCES;`
`1373`	`1374`	`}`
`1374`	`1375`	`break;`
	`1376`	`+#endif /* IPFILTER_IPFS */`
`1375`	`1377`
`1376`	`1378`	`case SIOCGENITER :`
`1377`	`1379`	`{`
`@@ -1679,7 +1681,7 @@ ipf_nat_siocdelnat(ipf_main_softc_t softc, ipf_nat_softc_t softn, ipnat_t *n,`
`1679`	`1681`	`}`
`1680`	`1682`	`}`
`1681`	`1683`
`1682`		`-`
	`1684`	`+#ifdef IPFILTER_IPFS`
`1683`	`1685`	`/* ------------------------------------------------------------------------ */`
`1684`	`1686`	`/* Function: ipf_nat_getsz */`
`1685`	`1687`	`/* Returns: int - 0 == success, != 0 is the error value. */`
`@@ -2247,6 +2249,7 @@ ipf_nat_putent(ipf_main_softc_t *softc, caddr_t data, int getlock)`
`2247`	`2249`	`}`
`2248`	`2250`	`return (error);`
`2249`	`2251`	`}`
	`2252`	`+#endif /* IPFILTER_IPFS */`
`2250`	`2253`
`2251`	`2254`
`2252`	`2255`	`/* ------------------------------------------------------------------------ */`
Original file line number	Diff line number	Diff line change
`@@ -709,6 +709,7 @@ ipf_state_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd,`
`709`	`709`	`IPFOBJ_STATESTAT);`
`710`	`710`	`break;`
`711`	`711`
	`712`	`+#ifdef IPFILTER_IPFS`
`712`	`713`	`/*`
`713`	`714`	`* Lock/Unlock the state table. (Locking prevents any changes, which`
`714`	`715`	`* means no packets match).`
`@@ -745,6 +746,7 @@ ipf_state_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd,`
`745`	`746`	`}`
`746`	`747`	`error = ipf_state_getent(softc, softs, data);`
`747`	`748`	`break;`
	`749`	`+#endif /* IPFILTER_IPFS */`
`748`	`750`
`749`	`751`	`case SIOCGENITER :`
`750`	`752`	`{`
`@@ -801,6 +803,7 @@ ipf_state_ioctl(ipf_main_softc_t *softc, caddr_t data, ioctlcmd_t cmd,`
`801`	`803`	`}`
`802`	`804`
`803`	`805`
	`806`	`+#ifdef IPFILTER_IPFS`
`804`	`807`	`/* ------------------------------------------------------------------------ */`
`805`	`808`	`/* Function: ipf_state_getent */`
`806`	`809`	`/* Returns: int - 0 == success, != 0 == failure */`
`@@ -1005,6 +1008,7 @@ ipf_state_putent(ipf_main_softc_t softc, ipf_state_softc_t softs,`
`1005`	`1008`
`1006`	`1009`	`return (error);`
`1007`	`1010`	`}`
	`1011`	`+#endif /* IPFILTER_IPFS */`
`1008`	`1012`
`1009`	`1013`
`1010`	`1014`	`/* ------------------------------------------------------------------------ */`