Date: Sun, 28 Jan 2007 18:15:29 +0100 From: Max Laier <max@love2party.net> To: freebsd-stable@freebsd.org Cc: "Bruce M. Simpson" <bms@freebsd.org>, Richard Coleman <rcoleman@criticalmagic.com>, Pete French <petefrench@ticketswitch.com> Subject: Re: impossible rc.d ordering problem with stf and pf ? Message-ID: <200701281815.37558.max@love2party.net> In-Reply-To: <45BCC255.3010101@criticalmagic.com> References: <E1HAsD1-0004VZ-3B@dilbert.ticketswitch.com> <45BC97E2.4050603@FreeBSD.org> <45BCC255.3010101@criticalmagic.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart11143865.XLAq8e6vHb Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sunday 28 January 2007 16:33, Richard Coleman wrote: > Bruce M. Simpson wrote: > > Pete French wrote: > >> Am trying to solve a little problem with 'pf'. I have a ruleset > >> which has some firewall rules for the IPv6 interface stf0. This > >> works fine, except when I rreboot the machine, as the pf script is > >> run before the network_ipv6 script - so stf0 does not exist. but I > >> cannot work out how to arrange for stf0 to be created before the pf > >> script is run - as network_ipv6 requires 'routing', but the pf > >> script says it must be run before 'routing', if I am reading the > >> 'REQUIRE' and 'BEFORE' lines correctly. > > > > Just chiming in to confirm that this problem definitely exists. > > I don't have a solution, however, my IPv6 tunnels at home have all > > expired, so I may well get spare cycles to look at this the same time > > that I get spare cycles to revive the tunnels. > > > > BMS > > Essentially the same problem exists with pf and ppp. The tun device > (on which most of my pf rules depend) does not yet exist when pf is > started. > > Apparently, someone has looked at this before, since there are commands > to resync pf and ipf inside the rc.d script for ppp (in ppp_postcmd).=20 > But this still doesn't work, since ppp is still negotiating the > connection when this function is run, so pf fails a second time. My > solution was to jam a "sleep 15" inside ppp_postcmd() right before the > point the commands to reload pf and ipf are run. It's major ugly, but > it works. Hopefully someone will find a better solution to these > problems. In oder to solve these problems you have to understand why pf is failing. = =20 This can be for three reasons: 1) You use the interface name as address w/o dynamic lookup. i.e. "...=20 from stf0 ..." 2) You use "set loginterface sft0" 3) You use the interface with ALTQ "altq on stf0 ..." (now this doesn't=20 work and wouldn't be a good idea either, but for tun0 it makes slightly=20 more sense). To 1 and 2 there is a simple sollution: Don't do that then! 1 can easily=20 be defused by adding parentheses. i.e. "... from (stf0) ...". If more=20 control is required you have to write explicit addresses in your=20 configuration anyway. 2 is obsolete by "pfctl -vvsI -i stf0" which has=20 all the counters for all the interfaces. ALTQ is the only remaining=20 problem. I did do some initial patches to tear down altq on interface=20 removal, which could be extended to work the other way 'round on=20 interface arrival - if only I had more time :-\ =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart11143865.XLAq8e6vHb Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD4DBQBFvNo5XyyEoT62BG0RAiknAJiRBFDrRC60fANBPJ5pxnB4eVqkAJ9CjONi F81YKM6R5ObNEWDI649JJw== =5+o7 -----END PGP SIGNATURE----- --nextPart11143865.XLAq8e6vHb--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200701281815.37558.max>