Date: Tue, 18 Aug 2015 14:55:29 +0300 From: wishmaster <artemrts@ukr.net> To: Andriy Gapon <avg@freebsd.org> Cc: freebsd-net@freebsd.org Subject: Re[2]: pf and new interface Message-ID: <1439898859.98223622.d5j81kl5@frv34.fwdcdn.com> In-Reply-To: <55D3184B.7050200@FreeBSD.org> References: <55D2E9B3.2040301@FreeBSD.org> <1439896563.102588062.s8ouf3nc@frv34.fwdcdn.com> <55D3184B.7050200@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--- Original message --- From: "Andriy Gapon" <avg@freebsd.org> Date: 18 August 2015, 14:35:36 > On 18/08/2015 14:18, wishmaster wrote: > > --- Original message --- > > From: "Andriy Gapon" > > Date: 18 August 2015, 14:05:15 > > > > > >> I have the following rule in pf.conf: > >> set skip on tap > >> and even the following one: > >> set skip on tap0 > >> > >> The rules are loaded at the system start-up time, but the tap interface > >> may not be created until much later. When tap0 is first created the > >> skip rules are not applied to it and the traffic gets filtered. If I > >> reload the pf configuration, then the rules start working. > >> > >> Is there a way to make pf honor such rules for the dynamic interfaces?Hi, > > > > You should do it in your application, e.g. in mpd this is something like below > > > > set iface up-script /usr/local/etc/mpd5/link_up.sh > > set iface down-script /usr/local/etc/mpd5/link_down.sh > > > > in openvpn - see manuals. > > That's a good suggestion. But how to add a single rule for pf? > Reloading the whole configuration is disruptive to existing connections. Use anchors. Small example: # VPN Interface Up Script # # Script is called like this: # # script interface proto local-ip remote-ip authname # $1 $2 $3 $4 $5 # anchor "ng-int/*" # less if-up.sh #!/bin/sh echo "pass quick on $1 all" | pfctl -a ng-int/$1 -f - # less if-down.sh #!/bin/sh pfctl -a ng-int/$1 -F rules
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1439898859.98223622.d5j81kl5>