Page MenuHomeFreeBSD

pf: fallback if $pf_rules fails to load

Authored by kp on Jun 16 2021, 8:39 PM.



Support loading a default pf ruleset in case of invalid pf.conf.

If no pf rules are loaded pf will pass/allow all traffic, assuming the
kernel is compiled without PF_DEFAULT_TO_DROP, as is the case in

In other words: if there's a typo in the main pf_rules we would allow
all traffic. The new default rules minimise the impact of this.

If $pf_program (i.e. pfctl) fails to set $pf_fules and
$pf_default_rules_enable is YES we will load $pf_default_rules_file if
set, or $pf_default_rules.

$pf_default_rules can include multiple rules, for example to permit
traffic on a management interface. Seperate multiple rules with \n:

$ sudo sysrc pf_default_rules
pf_default_rules: block drop log all\npass quick on em0

pf_default_rules_enable defaults to "NO", preserving historic behaviour.

man page changes by ceri@.

PR: 256410
Sponsored by:

Diff Detail

rG FreeBSD src repository
Automatic diff as part of commit; lint not applicable.
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

kp requested review of this revision.Jun 16 2021, 8:39 PM
donner added inline comments.

I feel bad with echo -e in order to generate multiple lines.
You may have a look at if_aliases. Why not simply

  block drop lock all
  pass quick on em0

The common idiom is
$pf_program -f "$pg_rules" $pf_flags || pf_fallback

bcr added a subscriber: bcr.

Manpage looks good.

  • fix remarks

Thanks, those are all improvements.

This revision is now accepted and ready to land.Jun 18 2021, 7:07 PM
This revision was automatically updated to reflect the committed changes.