[rtems-libbsd commit] libbsd.txt: Add section describing PF.
Sebastian Huber
sebh at rtems.org
Tue Aug 2 11:21:59 UTC 2016
Module: rtems-libbsd
Branch: master
Commit: f1941b2b828e2e3f652e3702c729e83db60850f3
Changeset: http://git.rtems.org/rtems-libbsd/commit/?id=f1941b2b828e2e3f652e3702c729e83db60850f3
Author: Christian Mauderer <Christian.Mauderer at embedded-brains.de>
Date: Tue Jul 12 13:41:39 2016 +0200
libbsd.txt: Add section describing PF.
---
libbsd.txt | 44 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 44 insertions(+)
diff --git a/libbsd.txt b/libbsd.txt
index 1278ebc..60a1b55 100644
--- a/libbsd.txt
+++ b/libbsd.txt
@@ -1326,6 +1326,50 @@ enabled from the shell with:
or with an ioctl call to the network interface driver with SIOCSIFCAP and the
mask IFCAP_TXCSUM and IFCAP_RXCSUM set.
+== PF (Firewall) ==
+
+It is possible to use PF as a firewall. See
+[https://www.freebsd.org/doc/handbook/firewalls-pf.html] for details on the
+range of functions and for how to configure the firewall.
+
+The following is necessary to use PF on RTEMS:
+
+- You have to provide a +/etc/pf.os+ file. The firewall can use it for passive
+ OS fingerprinting. If you don't want to use this feature, the file may contain
+ nothing except a line of comment (for example "# empty").
+
+- If some filters use protocol names (like tcp or udp) you have to provide a
+ +/etc/protocols+ file.
+
+- If some filters use service names (like ssh or http) you have to provide a
+ +/etc/services+ file.
+
+- Create a rule file (normally +/etc/pf.conf+). See the FreeBSD manual for the
+ syntax.
+
+- Load the rule file using the pfctl command and enable pf. An example
+ initialisation can look like follows:
+
+----
+ int exit_code;
+ char *params[] = {
+ "pfctl",
+ "-f",
+ "/etc/pf.conf",
+ "-e",
+ NULL
+ };
+
+ exit_code = rtems_bsd_command_pfctl(ARGC(params), params);
+ assert(exit_code == EXIT_SUCCSESS);
+----
+
+=== Known restrictions ===
+
+- Currently PF on RTEMS always uses the configuration for memory restricted
+ systems (on FreeBSD that means systems with less than 100 MB RAM). This is
+ fixed in +pfctl_init_options()+.
+
== Problems to report to FreeBSD ==
The MMAP_NOT_AVAILABLE define is inverted on its usage. When it is
More information about the vc
mailing list