From owner-freebsd-net@freebsd.org  Tue Aug 18 11:35:35 2015
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4E9519BC4A7
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Tue, 18 Aug 2015 11:35:35 +0000 (UTC) (envelope-from avg@FreeBSD.org)
Received: from citadel.icyb.net.ua (citadel.icyb.net.ua [212.40.38.140])
 by mx1.freebsd.org (Postfix) with ESMTP id 8F58AEDE
 for <freebsd-net@FreeBSD.org>; Tue, 18 Aug 2015 11:35:34 +0000 (UTC)
 (envelope-from avg@FreeBSD.org)
Received: from porto.starpoint.kiev.ua (porto-e.starpoint.kiev.ua
 [212.40.38.100])
 by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id OAA25347;
 Tue, 18 Aug 2015 14:35:31 +0300 (EEST)
 (envelope-from avg@FreeBSD.org)
Received: from localhost ([127.0.0.1])
 by porto.starpoint.kiev.ua with esmtp (Exim 4.34 (FreeBSD))
 id 1ZRfAw-0009GY-M5; Tue, 18 Aug 2015 14:35:30 +0300
Subject: Re: pf and new interface
To: wishmaster <artemrts@ukr.net>
References: <55D2E9B3.2040301@FreeBSD.org>
 <1439896563.102588062.s8ouf3nc@frv34.fwdcdn.com>
Cc: freebsd-net@FreeBSD.org
From: Andriy Gapon <avg@FreeBSD.org>
Message-ID: <55D3184B.7050200@FreeBSD.org>
Date: Tue, 18 Aug 2015 14:34:35 +0300
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101
 Thunderbird/38.1.0
MIME-Version: 1.0
In-Reply-To: <1439896563.102588062.s8ouf3nc@frv34.fwdcdn.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Aug 2015 11:35:35 -0000

On 18/08/2015 14:18, wishmaster wrote:
>  --- Original message ---
> From: "Andriy Gapon" <avg@freebsd.org>
> Date: 18 August 2015, 14:05:15
> 
>  
>> I have the following rule in pf.conf:
>> set skip on tap
>> and even the following one:
>> set skip on tap0
>>
>> The rules are loaded at the system start-up time, but the tap interface
>> may not be created until much later.  When tap0 is first created the
>> skip rules are not applied to it and the traffic gets filtered.  If I
>> reload the pf configuration, then the rules start working.
>>
>> Is there a way to make pf honor such rules for the dynamic interfaces?Hi,
> 
> You should do it in your application, e.g. in mpd this is something like below
> 
>         set iface up-script /usr/local/etc/mpd5/link_up.sh
>         set iface down-script /usr/local/etc/mpd5/link_down.sh
> 
> in openvpn - see manuals.

That's a good suggestion.  But how to add a single rule for pf?
Reloading the whole configuration is disruptive to existing connections.

-- 
Andriy Gapon