Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 10 Apr 2007 16:27:20 +0300
From:      Giorgos Keramidas <keramida@freebsd.org>
To:        freebsd-rc@freebsd.org
Subject:   [REVIEW] conf/111225 bug fix
Message-ID:  <20070410132720.GA6832@kobe.laptop>
next in thread | raw e-mail | index | archive | help 
Hi all,
Does the following patch look like a good fix for bug conf/111225?

%%%
diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf
--- a/etc/defaults/rc.conf
+++ b/etc/defaults/rc.conf
@@ -151,6 +151,7 @@ pflog_flags=""			# additional flags for 
 pflog_flags=""			# additional flags for pflogd
 pfsync_enable="NO"		# Expose pf state to other hosts for syncing
 pfsync_syncdev=""		# Interface for pfsync to work through
+pfsync_syncpeer=""		# IP address of pfsync peer host
 pfsync_ifconfig=""		# Additional options to ifconfig(8) for pfsync
 tcp_extensions="YES"		# Set to NO to turn off RFC1323 extensions.
 log_in_vain="0"			# >=1 to log connects to ports w/o listeners.
diff --git a/etc/rc.d/pfsync b/etc/rc.d/pfsync
--- a/etc/rc.d/pfsync
+++ b/etc/rc.d/pfsync
@@ -36,8 +36,13 @@ pfsync_prestart()
 
 pfsync_start()
 {
+	local _syncpeer
+
 	echo "Enabling pfsync."
-	ifconfig pfsync0 syncdev $pfsync_syncdev $pfsync_ifconfig up
+	if [ -n "${pfsync_syncpeer}" ]; then
+		_syncpeer="syncpeer ${pfsync_syncpeer}"
+	fi
+	ifconfig pfsync0 $_syncpeer syncdev $pfsync_syncdev $pfsync_ifconfig up
 }
 
 pfsync_stop()
diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5
--- a/share/man/man5/rc.conf.5
+++ b/share/man/man5/rc.conf.5
@@ -855,6 +855,26 @@ It must be set accordingly if
 .Va pfsync_enable
 is set to
 .Dq Li YES .
+.It Va pfsync_syncpeer
+.Pq Vt str
+Empty by default.
+This variable is optional.
+By default, state change messages are sent out on the synchronisation
+interface using IP multicast packets.
+The protocol is IP protocol 240, PFSYNC, and the multicast group used is
+224.0.0.240.
+When a peer address is specified using the
+.Va pfsync_syncpeer
+option, the peer address is used as a destination for the pfsync
+traffic, and the traffic can then be protected using
+.Xr ipsec 4 .
+See the
+.Xr pfsync 4
+manpage for more details about using
+.Xr ipsec 4
+with
+.Xr pfsync 4
+interfaces.
 .It Va pfsync_ifconfig
 .Pq Vt str
 Empty by default.
%%%

Giorgos Keramidas                FreeBSD: The Power to Serve
keramida@FreeBSD.org             http://www.FreeBSD.org/

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070410132720.GA6832>