Date: Tue, 18 Aug 2015 15:50:45 +0300 From: Andriy Gapon <avg@FreeBSD.org> To: wishmaster <artemrts@ukr.net> Cc: freebsd-net@FreeBSD.org Subject: Re: pf and new interface Message-ID: <55D32A25.8070001@FreeBSD.org> In-Reply-To: <1439898859.98223622.d5j81kl5@frv34.fwdcdn.com> References: <55D2E9B3.2040301@FreeBSD.org> <1439896563.102588062.s8ouf3nc@frv34.fwdcdn.com> <55D3184B.7050200@FreeBSD.org> <1439898859.98223622.d5j81kl5@frv34.fwdcdn.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 18/08/2015 14:55, wishmaster wrote: > --- Original message --- > From: "Andriy Gapon" <avg@freebsd.org> > Date: 18 August 2015, 14:35:36 > > > >> On 18/08/2015 14:18, wishmaster wrote: >>> --- Original message --- >>> From: "Andriy Gapon" >>> Date: 18 August 2015, 14:05:15 >>> >>> >>>> I have the following rule in pf.conf: >>>> set skip on tap >>>> and even the following one: >>>> set skip on tap0 >>>> >>>> The rules are loaded at the system start-up time, but the tap interface >>>> may not be created until much later. When tap0 is first created the >>>> skip rules are not applied to it and the traffic gets filtered. If I >>>> reload the pf configuration, then the rules start working. >>>> >>>> Is there a way to make pf honor such rules for the dynamic interfaces?Hi, >>> >>> You should do it in your application, e.g. in mpd this is something like below >>> >>> set iface up-script /usr/local/etc/mpd5/link_up.sh >>> set iface down-script /usr/local/etc/mpd5/link_down.sh >>> >>> in openvpn - see manuals. >> >> That's a good suggestion. But how to add a single rule for pf? >> Reloading the whole configuration is disruptive to existing connections. > > > Use anchors. Thank you for the hint! > Small example: > > # VPN Interface Up Script > # > # Script is called like this: > # > # script interface proto local-ip remote-ip authname > # $1 $2 $3 $4 $5 > # > > anchor "ng-int/*" > > # less if-up.sh > #!/bin/sh > echo "pass quick on $1 all" | pfctl -a ng-int/$1 -f - > > # less if-down.sh > #!/bin/sh > pfctl -a ng-int/$1 -F rules > > > > -- Andriy Gapon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55D32A25.8070001>