From owner-freebsd-net@freebsd.org Tue Aug 18 11:55:38 2015 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A9D769BC82A for ; Tue, 18 Aug 2015 11:55:38 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from frv197.fwdcdn.com (frv197.fwdcdn.com [212.42.77.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6B4941BE2 for ; Tue, 18 Aug 2015 11:55:38 +0000 (UTC) (envelope-from artemrts@ukr.net) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ukr.net; s=ffe; h=Content-Transfer-Encoding:Content-Type:MIME-Version:References:In-Reply-To:Message-Id:Cc:To:Subject:From:Date; bh=GnhKhWQCbqYqxLuVCdlRnUhpzYe0/isAmqx7t6WX5BI=; b=fV74pqDGF1TS/mEEZCwyQJl4rqaPgz6/Omm4Qx2q9ptY7fZKu7mGUWTwMYiTSq6JzawfDoC6Q5RpcP9eNpjM0/hujhxSxQw6CceO/YdJaR//KdmG6ya/G4CAPypQ+UuXUx3tdkIzd3KuSTCKyC2r4idJxbWXpS0E1KS2lJwomtU=; Received: from [10.10.10.34] (helo=frv34.fwdcdn.com) by frv197.fwdcdn.com with smtp ID 1ZRfUH-000Cdy-VP for freebsd-net@freebsd.org; Tue, 18 Aug 2015 14:55:29 +0300 Date: Tue, 18 Aug 2015 14:55:29 +0300 From: wishmaster Subject: Re[2]: pf and new interface To: Andriy Gapon Cc: freebsd-net@freebsd.org X-Mailer: mail.ukr.net 5.0 Message-Id: <1439898859.98223622.d5j81kl5@frv34.fwdcdn.com> In-Reply-To: <55D3184B.7050200@FreeBSD.org> References: <55D2E9B3.2040301@FreeBSD.org> <1439896563.102588062.s8ouf3nc@frv34.fwdcdn.com> <55D3184B.7050200@FreeBSD.org> X-Reply-Action: reply Received: from artemrts@ukr.net by frv34.fwdcdn.com; Tue, 18 Aug 2015 14:55:29 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: binary Content-Disposition: inline X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Aug 2015 11:55:38 -0000 --- Original message --- From: "Andriy Gapon" Date: 18 August 2015, 14:35:36 > On 18/08/2015 14:18, wishmaster wrote: > > --- Original message --- > > From: "Andriy Gapon" > > Date: 18 August 2015, 14:05:15 > > > > > >> I have the following rule in pf.conf: > >> set skip on tap > >> and even the following one: > >> set skip on tap0 > >> > >> The rules are loaded at the system start-up time, but the tap interface > >> may not be created until much later. When tap0 is first created the > >> skip rules are not applied to it and the traffic gets filtered. If I > >> reload the pf configuration, then the rules start working. > >> > >> Is there a way to make pf honor such rules for the dynamic interfaces?Hi, > > > > You should do it in your application, e.g. in mpd this is something like below > > > > set iface up-script /usr/local/etc/mpd5/link_up.sh > > set iface down-script /usr/local/etc/mpd5/link_down.sh > > > > in openvpn - see manuals. > > That's a good suggestion. But how to add a single rule for pf? > Reloading the whole configuration is disruptive to existing connections. Use anchors. Small example: # VPN Interface Up Script # # Script is called like this: # # script interface proto local-ip remote-ip authname # $1 $2 $3 $4 $5 # anchor "ng-int/*" # less if-up.sh #!/bin/sh echo "pass quick on $1 all" | pfctl -a ng-int/$1 -f - # less if-down.sh #!/bin/sh pfctl -a ng-int/$1 -F rules