[rtems-libbsd commit] libbsd.txt: Move PF description
Sebastian Huber
sebh at rtems.org
Wed May 25 06:05:24 UTC 2022
Module: rtems-libbsd
Branch: 6-freebsd-12
Commit: 5a97d503616fe12b8df154d46cacfa386a6d33e3
Changeset: http://git.rtems.org/rtems-libbsd/commit/?id=5a97d503616fe12b8df154d46cacfa386a6d33e3
Author: Sebastian Huber <sebastian.huber at embedded-brains.de>
Date: Mon May 23 15:21:17 2022 +0200
libbsd.txt: Move PF description
---
README.rst | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 52 insertions(+)
diff --git a/README.rst b/README.rst
index a0bc163c..440fc3ba 100644
--- a/README.rst
+++ b/README.rst
@@ -396,6 +396,58 @@ HOSTNAME(1)
resolver instance. See also ``rtems_mdns_sethostname()`` and
``rtems_mdns_gethostname()``.
+Packet Filter (PF, Firewall)
+============================
+
+It is possible to use PF as a firewall. See the
+`FreeBSD Handbook <https://docs.freebsd.org/en/books/handbook/firewalls/#firewalls-pf>`_
+for details on the range of functions and for how to configure the firewall.
+
+Configuration
+-------------
+
+The following is necessary to use PF on RTEMS:
+
+* You have to provide a ``/etc/pf.os`` file. The firewall can use it for passive
+ OS fingerprinting. If you don't want to use this feature, the file may contain
+ nothing except a line of comment (for example "# empty").
+
+* If some filters use protocol names (like ``tcp`` or ``udp``) you have to provide a
+ ``/etc/protocols`` file.
+
+* If some filters use service names (like ``http`` or ``https``) you have to provide a
+ ``/etc/services`` file.
+
+* Create a rule file (normally ``/etc/pf.conf``). See the FreeBSD manual for the
+ syntax.
+
+* Load the rule file using the
+ `pfctl <http://www.freebsd.org/cgi/man.cgi?query=pfctl&sektion=8>`_
+ command and enable PF. Please note that the pfctl command needs a lot of
+ stack. You should use at least RTEMS_MINIMUM_STACK_SIZE + 8192 Bytes of
+ stack. An example initialisation can look like follows:
+
+ .. code-block:: c
+
+ int exit_code;
+ char *argv[] = {
+ "pfctl",
+ "-f",
+ "/etc/pf.conf",
+ "-e",
+ NULL
+ };
+
+ exit_code = rtems_bsd_command_pfctl(ARGC(argv), argv);
+ assert(exit_code == EXIT_SUCCSESS);
+
+Known Restrictions
+------------------
+
+Currently, PF on RTEMS always uses the configuration for memory restricted
+systems (on FreeBSD that means systems with less than 100 MB RAM). This is
+fixed in ``pfctl_init_options()``.
+
Updating RTEMS Waf Support
==========================
More information about the vc
mailing list