diff options
| author | Sebastian Huber <sebastian.huber@embedded-brains.de> | 2022-05-23 15:21:17 +0200 |
|---|---|---|
| committer | Sebastian Huber <sebastian.huber@embedded-brains.de> | 2022-05-25 08:06:57 +0200 |
| commit | 5a97d503616fe12b8df154d46cacfa386a6d33e3 (patch) | |
| tree | 7681693bdc2e3a19b8889fb1cdcd21ac34ea2c98 | |
| parent | libbsd.txt: Move ported kernel features (diff) | |
| download | rtems-libbsd-5a97d503616fe12b8df154d46cacfa386a6d33e3.tar.bz2 | |
libbsd.txt: Move PF description
| -rw-r--r-- | README.rst | 52 |
1 files changed, 52 insertions, 0 deletions
@@ -396,6 +396,58 @@ HOSTNAME(1) resolver instance. See also ``rtems_mdns_sethostname()`` and ``rtems_mdns_gethostname()``. +Packet Filter (PF, Firewall) +============================ + +It is possible to use PF as a firewall. See the +`FreeBSD Handbook <https://docs.freebsd.org/en/books/handbook/firewalls/#firewalls-pf>`_ +for details on the range of functions and for how to configure the firewall. + +Configuration +------------- + +The following is necessary to use PF on RTEMS: + +* You have to provide a ``/etc/pf.os`` file. The firewall can use it for passive + OS fingerprinting. If you don't want to use this feature, the file may contain + nothing except a line of comment (for example "# empty"). + +* If some filters use protocol names (like ``tcp`` or ``udp``) you have to provide a + ``/etc/protocols`` file. + +* If some filters use service names (like ``http`` or ``https``) you have to provide a + ``/etc/services`` file. + +* Create a rule file (normally ``/etc/pf.conf``). See the FreeBSD manual for the + syntax. + +* Load the rule file using the + `pfctl <http://www.freebsd.org/cgi/man.cgi?query=pfctl&sektion=8>`_ + command and enable PF. Please note that the pfctl command needs a lot of + stack. You should use at least RTEMS_MINIMUM_STACK_SIZE + 8192 Bytes of + stack. An example initialisation can look like follows: + + .. code-block:: c + + int exit_code; + char *argv[] = { + "pfctl", + "-f", + "/etc/pf.conf", + "-e", + NULL + }; + + exit_code = rtems_bsd_command_pfctl(ARGC(argv), argv); + assert(exit_code == EXIT_SUCCSESS); + +Known Restrictions +------------------ + +Currently, PF on RTEMS always uses the configuration for memory restricted +systems (on FreeBSD that means systems with less than 100 MB RAM). This is +fixed in ``pfctl_init_options()``. + Updating RTEMS Waf Support ========================== |