From owner-freebsd-stable@FreeBSD.ORG  Sat Feb 26 02:48:51 2011
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 993DB106566C
	for <freebsd-stable@freebsd.org>; Sat, 26 Feb 2011 02:48:51 +0000 (UTC)
	(envelope-from jhellenthal@gmail.com)
Received: from mail-vx0-f182.google.com (mail-vx0-f182.google.com
	[209.85.220.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 458D48FC08
	for <freebsd-stable@freebsd.org>; Sat, 26 Feb 2011 02:48:50 +0000 (UTC)
Received: by vxc34 with SMTP id 34so2214272vxc.13
	for <freebsd-stable@freebsd.org>; Fri, 25 Feb 2011 18:48:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:sender:date:from:to:cc:subject:in-reply-to
	:message-id:references:user-agent:x-openpgp-key-id
	:x-openpgp-key-fingerprint:mime-version:content-type;
	bh=mL/mwpnaNKPB0Bev3JpGjsEo43t3KN03lIA/zrD3c8g=;
	b=LB+WpIw3qFrvWHiro1yYkskwJ61rNVkR79DYvn5R7QaVO1Hpv47MGfAoEOLjZEPH6I
	31GWsVwJwhmIdclPKERgn6+NfR4uwmZ+/GqSjsdQjGky2rY76WMt2xtKESBj05ZRSEal
	FkXXA88cDuGTBLonSuA14ZrMq2hpleNWD/o0M=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=sender:date:from:to:cc:subject:in-reply-to:message-id:references
	:user-agent:x-openpgp-key-id:x-openpgp-key-fingerprint:mime-version
	:content-type;
	b=yGYI9TG+X2DFhYE88Lk+NqdrriF1E5tdf1hZkS6gkmoBMkYiuOiF9fKI2vVeGRd4mo
	LH967qKK17hVwB35RzQF89fWIej+nvoHVION7e/fqXrtPng+iR5Mt6LDnqHx6uWwXoxX
	7qtT37qC21/AYi1K8y1yeSMDjGv2rFlhdxsg4=
Received: by 10.52.157.74 with SMTP id wk10mr1558264vdb.173.1298686660539;
	Fri, 25 Feb 2011 18:17:40 -0800 (PST)
Received: from disbatch.dataix.local ([99.181.138.151])
	by mx.google.com with ESMTPS id f17sm938244vbv.16.2011.02.25.18.17.38
	(version=TLSv1/SSLv3 cipher=OTHER);
	Fri, 25 Feb 2011 18:17:39 -0800 (PST)
Sender: "J. Hellenthal" <jhellenthal@gmail.com>
Date: Fri, 25 Feb 2011 21:17:30 -0500
From: jhell <jhell@DataIX.net>
To: Jeremy Chadwick <freebsd@jdc.parodius.com>
In-Reply-To: <20110225223119.GA13109@icarus.home.lan>
Message-ID: <alpine.BSF.2.00.1102252114330.43685@qvfongpu.qngnvk.ybpny>
References: <4D67E2BC.6070202@unsane.co.uk>
	<AANLkTin9ZHd+ABKm6Z_ek9QD1CVKmb9W-bRe2ZRYj1pn@mail.gmail.com>
	<4D682BFE.9050702@unsane.co.uk>
	<20110225223119.GA13109@icarus.home.lan>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
X-OpenPGP-Key-Id: 0x89D8547E
X-OpenPGP-Key-Fingerprint: 85EF E26B 07BB 3777 76BE  B12A 9057 8789 89D8 547E
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: freebsd-stable@freebsd.org, Vincent Hoffman <vince@unsane.co.uk>
Subject: Re: 8.2-RELEASE pf rules not loading
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Feb 2011 02:48:51 -0000


On Fri, 25 Feb 2011 17:31, freebsd@ wrote:
> On Fri, Feb 25, 2011 at 10:23:58PM +0000, Vincent Hoffman wrote:
>> On 25/02/2011 17:35, Josh Carroll wrote:
>>>> Hi All,
>>>>            Just upgraded my home machine to 8.2-RELEASE via
>>>> freebsd-update remotely (spare time at work.) and on reboot my pf
>>>> ruleset isnt being loaded. running '/etc/rc.d/pf start' once its booted
>>>> does start it fine though. Any suggestions on debugging or shall i just
>>>> try a verbose boot and watch the console when I get home?
>>>> I still have
>>>>
>>>> pf_enable="YES"                  # Set to YES to enable packet filter (pf)
>>>> pflog_enable="YES"               # Set to YES to enable packet filter
>>>> logging
>>>>
>>>> in /etc/rc.conf
>>> Is your interface dynamic (e.g. using DHCP)? If so, you might try changing:
>>>
>>> ifconfig_<ifacename>="DHCP"
>>>
>>> to
>>>
>>> ifconfig_<ifacename>="SYNCDHCP"
>>>
>>> It's possible the network hasn't come up properly yet or there is no
>>> IP assigned.
>>>
>>> Failing that, you can set:
>>>
>>> rc_debug="YES"
>>>
>>> in rc.conf then watch at boot time if there are any odd messages when
>>> it attempts to start pf.
>>>
>> It turns out that its sort of related to this. I have an IPv6 tunnel
>> from H.E. (tunnelbroker.net) and from looking at the boot output, it
>> looks like the IPv6 addresses (for any of my imterfaces) aren't applied
>> until after pf starts. I'd say this is a bug, Oddly this didnt happen
>> for the release candidate I tried, although I think I may have modified
>> my rules and not rebooted until I upgraded.
>> the rules in question are:
>>
>> pass in quick on $gif_if inet6 proto udp to $ext_if port $udp_services
>> keep state
>> and
>> pass in quick on $gif_if inet6 proto tcp to $ext_if port $tcp_services
>> $sf_tcp
>> (ext_if = "ue0")
>>
>> I'll try changing $ext_if to the ipv6 address and see if that helps.
>
> Please look at pf.conf(5) and search for the word "parentheses" (should
> be under the "from x to x" section.  This might resolve your problem.
>
>

Adding to this and as someone else has already advised in a different way 
is to use synchronous_dhclient="YES" in rc.conf(5) will most likely result 
in your rules loading properly.


-- 

  jhell