From owner-svn-src-all@freebsd.org Fri Oct 9 02:18:00 2020 Return-Path: Delivered-To: svn-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E16E5436D39; Fri, 9 Oct 2020 02:18:00 +0000 (UTC) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: from gndrsh.dnsmgr.net (br1.CN84in.dnsmgr.net [69.59.192.140]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4C6sDS2QK6z3WG9; Fri, 9 Oct 2020 02:17:59 +0000 (UTC) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: from gndrsh.dnsmgr.net (localhost [127.0.0.1]) by gndrsh.dnsmgr.net (8.13.3/8.13.3) with ESMTP id 0992HqFn009695; Thu, 8 Oct 2020 19:17:52 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.13.3/8.13.3/Submit) id 0992HpT9009694; Thu, 8 Oct 2020 19:17:52 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <202010090217.0992HpT9009694@gndrsh.dnsmgr.net> Subject: Re: svn commit: r366537 - head/libexec/rc/rc.d In-Reply-To: <202010081145.098BjBun018733@repo.freebsd.org> To: Pawel Biernacki Date: Thu, 8 Oct 2020 19:17:51 -0700 (PDT) CC: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Reply-To: rgrimes@freebsd.org X-Mailer: ELM [version 2.4ME+ PL121h (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII X-Rspamd-Queue-Id: 4C6sDS2QK6z3WG9 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:13868, ipnet:69.59.192.0/19, country:US] X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Oct 2020 02:18:00 -0000 > Author: kaktus > Date: Thu Oct 8 11:45:10 2020 > New Revision: 366537 > URL: https://svnweb.freebsd.org/changeset/base/366537 > > Log: > [pf] /etc/rc.d/pf should REQUIRE routing > > When a system with pf_enable="YES" in /etc/rc.conf uses hostnames in > /etc/pf.conf, these hostnames cannot be resolved via external nameservers > because the default route is not yet set. This results in an empty > (all open) ruleset. Use of hostnames in pf, or any firewall for that mater tends to make my hair stand on end, unless those hostnames resolve via /etc/hosts or a link local resolver. > > Since r195026 already put netif back to REQUIRE, this change does not affect > the issue that the firewall should rather have been setup before any > network traffic can occur. This well cause any system that requires pf rules before routing can work to fail, aka almost any real router running a real routing protocol well now fail or have issues during route daemon start up as without firewall rules the default is to deny the routing protocol packets. This should be reverted, or at least made knobable in some way. > > PR: 211928 > Submitted by: Robert Schulze > Reported by: Robert Schulze > Tested by: Mateusz Kwiatkowski > No objections from: kp > MFC after: 3 days > > Modified: > head/libexec/rc/rc.d/pf > > Modified: head/libexec/rc/rc.d/pf > ============================================================================== > --- head/libexec/rc/rc.d/pf Thu Oct 8 11:30:22 2020 (r366536) > +++ head/libexec/rc/rc.d/pf Thu Oct 8 11:45:10 2020 (r366537) > @@ -4,8 +4,7 @@ > # > > # PROVIDE: pf > -# REQUIRE: FILESYSTEMS netif pflog pfsync > -# BEFORE: routing > +# REQUIRE: FILESYSTEMS netif pflog pfsync routing > # KEYWORD: nojailvnet > > . /etc/rc.subr > -- Rod Grimes rgrimes@freebsd.org