From owner-freebsd-hackers@freebsd.org Sat Dec 22 15:19:08 2018 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0DA39135639D for ; Sat, 22 Dec 2018 15:19:08 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [IPv6:2a01:4f8:d12:604::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 07E9A8B7DA for ; Sat, 22 Dec 2018 15:18:56 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (eg.sd.rdtc.ru [IPv6:2a03:3100:c:13:0:0:0:5]) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id wBMFImW0073326 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 22 Dec 2018 16:18:49 +0100 (CET) (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: dch@skunkwerks.at Received: from [10.58.0.4] ([10.58.0.4]) by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id wBMFIlA7053714 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sat, 22 Dec 2018 22:18:47 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: rcorder for vpn-like tunnels during early rc.d startup To: Dave Cottlehuber , freebsd-hackers@freebsd.org References: <1545487265.3497867.1616158504.69E513B4@webmail.messagingengine.com> From: Eugene Grosbein Message-ID: Date: Sat, 22 Dec 2018 22:18:42 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: <1545487265.3497867.1616158504.69E513B4@webmail.messagingengine.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=0.3 required=5.0 tests=BAYES_00,LOCAL_FROM,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * -0.0 SPF_PASS SPF: sender matches SPF record * 2.6 LOCAL_FROM From my domains X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on hz.grosbein.net X-Rspamd-Queue-Id: 07E9A8B7DA X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; spf=permerror (mx1.freebsd.org: domain of eugen@grosbein.net uses mechanism not recognized by this client) smtp.mailfrom=eugen@grosbein.net X-Spamd-Result: default: False [-4.18 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; MX_INVALID(0.50)[greylisted]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[grosbein.net]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; R_SPF_PERMFAIL(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.88)[-0.875,0]; IP_SCORE(-1.71)[ip: (-3.02), ipnet: 2a01:4f8::/29(-3.01), asn: 24940(-2.49), country: DE(-0.01)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Dec 2018 15:19:08 -0000 22.12.2018 21:01, Dave Cottlehuber wrote: > I have a port[1] net/zerotier that provides a p2p layer2+ vpn via tap(4) interfaces. > Ideally zerotier/zt would be available early enough during boot that later daemons > such as ssh and other network services would be able to bind to those interfaces. You should not try to make it start before packet filters, that is wrong and may sometimes even partially defeat security goals of VPN networking. The whole system of FreeBSD rc.d system script dependencies assumes that packet filers initialize before network is fully operational. Take a look at base system's /etc/rc.d/ppp for an example of tunneling daemon that starts as early as possible. Another example is /etc/rc.d/local_unbound that needs fully operating networking but starts early enough to provide DNS services for ssh and others: in FreeBSD 12.0+ it REQUIREs "defaultroute" and "netwait" features.