Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 2 Jul 2018 16:44:32 +0200
From:      "Felix J. Ogris" <fjo-lists@ogris.de>
To:        freebsd-pf@freebsd.org
Subject:   pf reload/resync and skipped interface groups on 11.2-RELEASE
Message-ID:  <51A8A900-32B4-47A0-99D9-F02B31D2C735@ogris.de>
next in thread | raw e-mail | index | archive | help 
Hi,

this is a fresh install of 11.2-RELEASE amd64 with a minimal pf rule =
set. After the first reload/resync, any traffic on an interface that is =
skipped via an interface group statement in pf.conf is rejected:

root@fbsd:~ # ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=3D0 ttl=3D64 time=3D0.038 ms
^C
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev =3D 0.038/0.038/0.038/0.000 ms

root@fbsd:~ # service pf reload
Reloading pf rules.

root@fbsd:~ # ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1): 56 data bytes
ping: sendto: Permission denied
ping: sendto: Permission denied
^C
--- 127.0.0.1 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss

A second reload restores the expected behaviour:

root@fbsd:~ # service pf reload
Reloading pf rules.

root@fbsd:~ # ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=3D0 ttl=3D64 time=3D0.021 ms
^C
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev =3D 0.021/0.021/0.021/0.000 ms


My /etc/pf.conf:

root@fbsd:~ # cat /etc/pf.conf
set skip on lo
block
pass in inet proto tcp to port 22

Active rule set in either case:

root@fbsd:~ # pfctl -s rules
block drop all
pass in inet proto tcp from any to any port =3D ssh flags S/SA keep =
state


If i change =E2=80=9Cset skip on lo=E2=80=9D to =E2=80=9Cset skip on =
lo0=E2=80=9D in /etc/pf.conf, reload behaves fine.
/etc/rc.d/ppp does a =E2=80=9C/etc/rc.d/pf quietresync=E2=80=9D in its =
poststart() routine.

BR,
Felix=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51A8A900-32B4-47A0-99D9-F02B31D2C735>