Index: libexec/rc/rc.conf =================================================================== --- libexec/rc/rc.conf +++ libexec/rc/rc.conf @@ -224,6 +224,11 @@ # by default) pf_program="/sbin/pfctl" # where the pfctl program lives pf_flags="" # additional flags for pfctl +pf_fallback_rules_enable="NO" # fallback if loading ruleset fails +pf_fallback_rules="block drop log all" # rules to load on pf ruleset failure +#pf_fallback_rules="block drop log all +#pass quick on em4" # multi-rule +pf_fallback_rules_file="/etc/pf-fallback.conf" # rules file on ruleset failure pflog_enable="NO" # Set to YES to enable packet filter logging pflog_logfile="/var/log/pflog" # where pflogd should store the logfile pflog_program="/sbin/pflogd" # where the pflogd program lives Index: libexec/rc/rc.d/pf =================================================================== --- libexec/rc/rc.d/pf +++ libexec/rc/rc.d/pf @@ -23,11 +23,28 @@ required_files="$pf_rules" required_modules="pf" +pf_fallback() +{ + warn "Unable to load $pf_rules." + + if ! checkyesno pf_fallback_rules_enable; then + return + fi + + if [ -f $pf_fallback_rules_file ]; then + warn "Loading fallback rules file: $pf_fallback_rules_file" + $pf_program -f "$pf_fallback_rules_file" $pf_flags + else + warn "Loading fallback rules: $pf_fallback_rules" + echo $pf_fallback_rules | $pf_program -f - $pf_flags + fi +} + pf_start() { check_startmsgs && echo -n 'Enabling pf' $pf_program -F all > /dev/null 2>&1 - $pf_program -f "$pf_rules" $pf_flags + $pf_program -f "$pf_rules" $pf_flags || pf_fallback if ! $pf_program -s info | grep -q "Enabled" ; then $pf_program -eq fi Index: share/man/man5/rc.conf.5 =================================================================== --- share/man/man5/rc.conf.5 +++ share/man/man5/rc.conf.5 @@ -24,7 +24,7 @@ .\" .\" $FreeBSD$ .\" -.Dd May 13, 2021 +.Dd June 11, 2021 .Dt RC.CONF 5 .Os .Sh NAME @@ -988,6 +988,42 @@ these flags are passed to the .Xr pfctl 8 program when loading the ruleset. +.It Va pf_fallback_rules_enable +.Pq Vt bool +Set to +.Dq Li NO +by default. +Setting this to +.Dq Li YES +enables loading +.Va pf_fallback_rules_file +or +.Va pf_fallback_rules +in case of a problem when loading the ruleset in +.Va pf_rules . +.It Va pf_fallback_rules_file +.Pq Vt str +Path to a pf ruleset to load in case of failure when loading the +ruleset in +.Va pf_rules +(default +.Pa /etc/pf-fallback.conf ) . +.It Va pf_fallback_rules +.Pq Vt str +A pf ruleset to load in case of failure when loading the ruleset in +.Va pf_rules +and +.Va pf_fallback_rules_file +is not found. +Multiple rules can be set as follows: +.Bd -literal +pf_fallback_rules="\\ + block drop log all\\ + pass in quick on em0" +.Pp +.Ed +The default fallback rule is +.Dq block drop log all .It Va pflog_enable .Pq Vt bool Set to