From owner-freebsd-current@FreeBSD.ORG Mon May 12 09:52:45 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4C006538 for ; Mon, 12 May 2014 09:52:45 +0000 (UTC) Received: from smtprelay06.ispgateway.de (smtprelay06.ispgateway.de [80.67.31.95]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D3C252071 for ; Mon, 12 May 2014 09:52:44 +0000 (UTC) Received: from [78.35.144.130] (helo=fabiankeil.de) by smtprelay06.ispgateway.de with esmtpsa (SSLv3:AES128-SHA:128) (Exim 4.68) (envelope-from ) id 1Wjmsr-0005jA-Je for freebsd-current@freebsd.org; Mon, 12 May 2014 11:50:58 +0200 Date: Mon, 12 May 2014 11:50:54 +0200 From: Fabian Keil To: freebsd-current@freebsd.org Subject: Re: Ordering for network-sensitive rc scripts Message-ID: <20140512115054.4fac65dd@fabiankeil.de> In-Reply-To: <5C90ED2E-4A10-4E2B-9399-292E2FD616E7@FreeBSD.org> References: <5C90ED2E-4A10-4E2B-9399-292E2FD616E7@FreeBSD.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; boundary="Sig_/5qPHckvayJ7zc3xuwpmhTqO"; protocol="application/pgp-signature" X-Df-Sender: Nzc1MDY3 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 May 2014 09:52:45 -0000 --Sig_/5qPHckvayJ7zc3xuwpmhTqO Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable David Chisnall wrote: > On 11 May 2014, at 20:23, Adrian Chadd wrote: >=20 > > On 11 May 2014 12:01, David Chisnall wrote: > >> On 17 Apr 2014, at 09:30, Adrian Chadd wrote: > >>=20 > >>> Can't we add a devd hook to do that? > >>=20 > >> I tried doing this, but it turns out that wlan devices don't appear to= send devd LINK_UP / LINK_DOWN events. It would be nice to have a clean so= lution to this. By default, using the stock rc scripts, my router is curre= ntly not able to forward packets from the WiFi until I've logged into it an= d manually run 'service pf restart', which is a bit crazy. I've hacked aro= und it by having a script run from rc.local that sleeps for 60 seconds and = then restarts a few things, but that's really, really ugly. > >>=20 > >> On closer inspection, pf doesn't fail silently, it complains about a s= yntax error in my config file because wlan0 is not a known interface. > >>=20 > >> We therefore have an rc ordering problem if you want to use pf and WiF= i at the same time. This problem was introduced some time between 9.2 and = 10.0. > >=20 > > Is there a PR for this? It's the first I've heard of it. >=20 > Not yet. This is the result of my investigations as of 10 minutes ago. = I'll file a PR, if no one can tell me I'm doing something obviously wrong... I'm not saying that you did something wrong or shouldn't file a PR, but on my laptop (11-CURRENT) pf works as expected without service restarts. The relevant configuration excerpt: ext_if =3D "wlan0" int_if =3D "bge0" jail_if =3D "lo1" [...] nat pass on $ext_if from $int_if:network to any -> $ext_if nat on $ext_if from $jail_if:network to any -> $ext_if wlan0 is a wlandev on iwn0. I'm usually using static IP addresses, but it worked with dynamic IP addresses (and ext_if and int_if reversed) in the past. Fabian --Sig_/5qPHckvayJ7zc3xuwpmhTqO Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iEYEARECAAYFAlNwmYIACgkQBYqIVf93VJ2yIQCfWUYZhaHmv2p9IyP4c1pSZ+Sl s7kAn3UjJW5LQYkiS358WY/pq/SKoWmu =eWho -----END PGP SIGNATURE----- --Sig_/5qPHckvayJ7zc3xuwpmhTqO--