author: John Baldwin <jhb@FreeBSD.org> 2009-05-18 20:23:16 +0000
committer: John Baldwin <jhb@FreeBSD.org> 2009-05-18 20:23:16 +0000
commit: 277068bff114b39bf890910597525b43669f096f (patch)
tree: da27d0ffe7a445c9dfe919d42be251044a49adaf /sys/netinet
parent: ea58be2ff4cd9d3e6910e6d9efee96214a36a5c2 (diff)
1 files changed, 9 insertions, 5 deletions
diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c
index 28647e1458a5..18093f7d0de0 100644
--- a/sys/netinet/ip_fw2.c
+++ b/sys/netinet/ip_fw2.c
@@ -111,6 +111,11 @@ static int fw_verbose;
 static struct callout ipfw_timeout;
 static int verbose_limit;
 
+#ifdef IPFIREWALL_DEFAULT_TO_ACCEPT
+static int default_to_accept = 1;
+#else
+static int default_to_accept;
+#endif
 static uma_zone_t ipfw_dyn_rule_zone;
 
 /*
@@ -170,6 +175,9 @@ SYSCTL_UINT(_net_inet_ip_fw, OID_AUTO, default_rule, CTLFLAG_RD,
     NULL, IPFW_DEFAULT_RULE, "The default/max possible rule number.");
 SYSCTL_UINT(_net_inet_ip_fw, OID_AUTO, tables_max, CTLFLAG_RD,
     NULL, IPFW_TABLES_MAX, "The maximum number of tables.");
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, default_to_accept, CTLFLAG_RDTUN,
+    &default_to_accept, 0, "Make the default rule accept all packets.");
+TUNABLE_INT("net.inet.ip.fw.default_to_accept", &default_to_accept);
 #endif /* SYSCTL_NODE */
 
 /*
@@ -4514,11 +4522,7 @@ ipfw_init(void)
 	default_rule.set = RESVD_SET;
 
 	default_rule.cmd[0].len = 1;
-	default_rule.cmd[0].opcode =
-#ifdef IPFIREWALL_DEFAULT_TO_ACCEPT
-				1 ? O_ACCEPT :
-#endif
-				O_DENY;
+	default_rule.cmd[0].opcode = default_to_accept ? O_ACCEPT : O_DENY;
 
 	error = add_rule(&layer3_chain, &default_rule);
 	if (error != 0) {
author	John Baldwin <jhb@FreeBSD.org>	2009-05-18 20:23:16 +0000
committer	John Baldwin <jhb@FreeBSD.org>	2009-05-18 20:23:16 +0000
commit	277068bff114b39bf890910597525b43669f096f (patch)
tree	da27d0ffe7a445c9dfe919d42be251044a49adaf /sys/netinet
parent	ea58be2ff4cd9d3e6910e6d9efee96214a36a5c2 (diff)