diff options
| author | Doug Rabson <dfr@FreeBSD.org> | 2023-06-20 13:01:58 +0000 |
|---|---|---|
| committer | Doug Rabson <dfr@FreeBSD.org> | 2023-06-20 14:34:01 +0000 |
| commit | 3a1f834b5228986a7c14fd60da13cf2700e80996 (patch) | |
| tree | 3781ceb4f498ec3391389411b8594fa1477a9210 /UPDATING | |
| parent | 9aca30d87804b9b9f646f9ef3ad5ae6af81fd40a (diff) | |
| download | src-3a1f834b5228986a7c14fd60da13cf2700e80996.tar.gz src-3a1f834b5228986a7c14fd60da13cf2700e80996.zip | |
pf: Add code to enable filtering for locally delivered packets
This is disabled by default since it potentially changes the behavior of
existing filter rule sets. To enable this extra filter for packets being
delivered locally, use:
sysctl net.pf.filter_local=1
service pf restart
PR: 268717
Reviewed-by: kp
MFC-after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D40373
Diffstat (limited to 'UPDATING')
| -rw-r--r-- | UPDATING | 12 |
1 files changed, 12 insertions, 0 deletions
@@ -27,6 +27,18 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 14.x IS SLOW: world, or to merely disable the most expensive debugging functionality at runtime, run "ln -s 'abort:false,junk:false' /etc/malloc.conf".) +20230619: + To enable pf rdr rules for connections initiated from the host, pf + filter rules can be optionally enabled for packets delivered + locally. This can change the behavior of rules which match packets + delivered to lo0. To enable this feature: + + sysctl net.pf.filter_local=1 + service pf restart + + When enabled, its best to ensure that packets delivered locally are not + filtered, e.g. by adding a 'skip on lo' rule. + 20230613: Improvements to libtacplus(8) mean that tacplus.conf(5) now follows POSIX shell syntax rules. This may cause TACACS+ |