From owner-freebsd-stable@FreeBSD.ORG Mon Jan 29 13:42:36 2007 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D890116A408 for ; Mon, 29 Jan 2007 13:42:36 +0000 (UTC) (envelope-from rcoleman@criticalmagic.com) Received: from saturn.criticalmagic.com (saturn.criticalmagic.com [64.74.207.196]) by mx1.freebsd.org (Postfix) with ESMTP id B3BEB13C474 for ; Mon, 29 Jan 2007 13:42:36 +0000 (UTC) (envelope-from rcoleman@criticalmagic.com) Received: from neptune.criticalmagic.com (adsl-074-229-078-253.sip.asm.bellsouth.net [74.229.78.253]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "neptune.criticalmagic.com", Issuer "Critical Magic Root Certificate" (verified OK)) by saturn.criticalmagic.com (Postfix) with ESMTP id 1F16E39808; Mon, 29 Jan 2007 08:42:36 -0500 (EST) Received: from [127.0.0.1] (localhost [127.0.0.1]) by neptune.criticalmagic.com (Postfix) with ESMTP id 7CB896D409; Mon, 29 Jan 2007 08:42:35 -0500 (EST) Message-ID: <45BDF9CB.8020903@criticalmagic.com> Date: Mon, 29 Jan 2007 08:42:35 -0500 From: Richard Coleman Organization: Critical Magic User-Agent: Thunderbird 1.5.0.9 (X11/20070128) MIME-Version: 1.0 To: Pete French References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-stable@freebsd.org Subject: Re: impossible rc.d ordering problem with stf and pf ? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Jan 2007 13:42:36 -0000 Pete French wrote: >> 1) You use the interface name as address w/o dynamic lookup. >> i.e. "... from stf0 ..." > > Yes, thats it - I hadn't come across this 'dynamic lookup' thing before > though, so I didn't realise what it was. I still cant find it in the PF > manual, aside from a reference that you need to do it for NAT. > >> To 1 and 2 there is a simple sollution: Don't do that then! 1 can easily=20 >> be defused by adding parentheses. i.e. "... from (stf0) ...". > > pass out on (stf0) inet6 from any to any keep state > > Gives me a syntax error when I try and load it with pfctl. If I change > it to: > > pass out on stf0 inet6 from any to any keep state > > Then it works loading it with pfctl, but now does not work at boot due to > the lack of stf0 interface. :-( > > -pete. This confused me at first. But I believe you only use the dynamic syntax (stf0) in places where the interface name gets converted to an address or network, rather than just specifying an interface. So, for instance pass out on stf0 from (stf0) to any The way I found them all was to look at "pfctl -s rules" and look for the rules that had the ip address that was causing the problem. For me, this occurred in places where I used the interface name with "to", "from", and inside the "antispoof" rule. That fixed my problem with ppp and pf. Richard Coleman rcoleman@criticalmagic.com