From owner-freebsd-stable@FreeBSD.ORG Sun Jan 28 15:59:58 2007 Return-Path: X-Original-To: freebsd-stable@FreeBSD.ORG Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9A3D416A402; Sun, 28 Jan 2007 15:59:58 +0000 (UTC) (envelope-from rcoleman@criticalmagic.com) Received: from saturn.criticalmagic.com (saturn.criticalmagic.com [64.74.207.196]) by mx1.freebsd.org (Postfix) with ESMTP id 72C0F13C4B9; Sun, 28 Jan 2007 15:59:58 +0000 (UTC) (envelope-from rcoleman@criticalmagic.com) Received: from neptune.criticalmagic.com (adsl-074-229-078-253.sip.asm.bellsouth.net [74.229.78.253]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "neptune.criticalmagic.com", Issuer "Critical Magic Root Certificate" (verified OK)) by saturn.criticalmagic.com (Postfix) with ESMTP id CE4AD39808; Sun, 28 Jan 2007 10:33:42 -0500 (EST) Received: from [127.0.0.1] (localhost [127.0.0.1]) by neptune.criticalmagic.com (Postfix) with ESMTP id 0B72E6D409; Sun, 28 Jan 2007 10:33:41 -0500 (EST) Message-ID: <45BCC255.3010101@criticalmagic.com> Date: Sun, 28 Jan 2007 10:33:41 -0500 From: Richard Coleman Organization: Critical Magic User-Agent: Thunderbird 1.5.0.9 (X11/20061222) MIME-Version: 1.0 To: "Bruce M. Simpson" References: <45BC97E2.4050603@FreeBSD.org> In-Reply-To: <45BC97E2.4050603@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-stable@FreeBSD.ORG, Pete French Subject: Re: impossible rc.d ordering problem with stf and pf ? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Jan 2007 15:59:58 -0000 Bruce M. Simpson wrote: > Pete French wrote: >> Am trying to solve a little problem with 'pf'. I have a ruleset which >> has some firewall rules for the IPv6 interface stf0. This works fine, >> except when I rreboot the machine, as the pf script is run before the >> network_ipv6 script - so stf0 does not exist. but I cannot work out >> how to arrange for stf0 to be created before the pf script is run - as >> network_ipv6 requires 'routing', but the pf script says it must be run >> before 'routing', if I am reading the 'REQUIRE' and 'BEFORE' lines >> correctly. >> > Just chiming in to confirm that this problem definitely exists. > I don't have a solution, however, my IPv6 tunnels at home have all > expired, so I may well get spare cycles to look at this the same time > that I get spare cycles to revive the tunnels. > > BMS Essentially the same problem exists with pf and ppp. The tun device (on which most of my pf rules depend) does not yet exist when pf is started. Apparently, someone has looked at this before, since there are commands to resync pf and ipf inside the rc.d script for ppp (in ppp_postcmd). But this still doesn't work, since ppp is still negotiating the connection when this function is run, so pf fails a second time. My solution was to jam a "sleep 15" inside ppp_postcmd() right before the point the commands to reload pf and ipf are run. It's major ugly, but it works. Hopefully someone will find a better solution to these problems. Richard Coleman rcoleman@criticalmagic.com