From owner-freebsd-net@freebsd.org Tue Aug 18 12:52:09 2015 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A91C19BCD17 for ; Tue, 18 Aug 2015 12:52:09 +0000 (UTC) (envelope-from avg@FreeBSD.org) Received: from citadel.icyb.net.ua (citadel.icyb.net.ua [212.40.38.140]) by mx1.freebsd.org (Postfix) with ESMTP id E6D3C9B7 for ; Tue, 18 Aug 2015 12:52:08 +0000 (UTC) (envelope-from avg@FreeBSD.org) Received: from porto.starpoint.kiev.ua (porto-e.starpoint.kiev.ua [212.40.38.100]) by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id PAA26486; Tue, 18 Aug 2015 15:52:07 +0300 (EEST) (envelope-from avg@FreeBSD.org) Received: from localhost ([127.0.0.1]) by porto.starpoint.kiev.ua with esmtp (Exim 4.34 (FreeBSD)) id 1ZRgN4-0009M9-PZ; Tue, 18 Aug 2015 15:52:06 +0300 Subject: Re: pf and new interface To: wishmaster References: <55D2E9B3.2040301@FreeBSD.org> <1439896563.102588062.s8ouf3nc@frv34.fwdcdn.com> <55D3184B.7050200@FreeBSD.org> <1439898859.98223622.d5j81kl5@frv34.fwdcdn.com> Cc: freebsd-net@FreeBSD.org From: Andriy Gapon Message-ID: <55D32A25.8070001@FreeBSD.org> Date: Tue, 18 Aug 2015 15:50:45 +0300 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 MIME-Version: 1.0 In-Reply-To: <1439898859.98223622.d5j81kl5@frv34.fwdcdn.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Aug 2015 12:52:09 -0000 On 18/08/2015 14:55, wishmaster wrote: > --- Original message --- > From: "Andriy Gapon" > Date: 18 August 2015, 14:35:36 > > > >> On 18/08/2015 14:18, wishmaster wrote: >>> --- Original message --- >>> From: "Andriy Gapon" >>> Date: 18 August 2015, 14:05:15 >>> >>> >>>> I have the following rule in pf.conf: >>>> set skip on tap >>>> and even the following one: >>>> set skip on tap0 >>>> >>>> The rules are loaded at the system start-up time, but the tap interface >>>> may not be created until much later. When tap0 is first created the >>>> skip rules are not applied to it and the traffic gets filtered. If I >>>> reload the pf configuration, then the rules start working. >>>> >>>> Is there a way to make pf honor such rules for the dynamic interfaces?Hi, >>> >>> You should do it in your application, e.g. in mpd this is something like below >>> >>> set iface up-script /usr/local/etc/mpd5/link_up.sh >>> set iface down-script /usr/local/etc/mpd5/link_down.sh >>> >>> in openvpn - see manuals. >> >> That's a good suggestion. But how to add a single rule for pf? >> Reloading the whole configuration is disruptive to existing connections. > > > Use anchors. Thank you for the hint! > Small example: > > # VPN Interface Up Script > # > # Script is called like this: > # > # script interface proto local-ip remote-ip authname > # $1 $2 $3 $4 $5 > # > > anchor "ng-int/*" > > # less if-up.sh > #!/bin/sh > echo "pass quick on $1 all" | pfctl -a ng-int/$1 -f - > > # less if-down.sh > #!/bin/sh > pfctl -a ng-int/$1 -F rules > > > > -- Andriy Gapon