Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 7 May 2008 20:28:50 +0200
From:      Mel <fbsd.questions@rachie.is-a-geek.net>
To:        freebsd-questions@freebsd.org
Cc:        Justin Jereza <justinjereza@gmail.com>
Subject:   Re: Delaying pf.conf loading
Message-ID:  <200805072028.51152.fbsd.questions@rachie.is-a-geek.net>
In-Reply-To: <53f591170805071021i45f757d3h4558e106a0da7f18@mail.gmail.com>
References:  <53f591170805071021i45f757d3h4558e106a0da7f18@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wednesday 07 May 2008 19:21:22 Justin Jereza wrote:
> Hello.
>
> Is it possible to delay the loading of pf rules from pf.conf after ppp
> has connected and named is running through rc.conf?

No, the design of the rc system does not allow for rc.conf to alter the order 
of the scripts executed, since rc.conf is loaded on a per-script basis and 
the ordering is done based on 'comments' in the scripts themselves.

You can however, load an empty table with the appropreate name, then create an 
rc script in /usr/local/etc/rc.d/ that fills the table with hostnames to 
solve your problem.

Here's an example:

/etc/rc.conf:
pf_dyntables_enable="YES"
pf_dyntables_list="adservers"

/etc/pf.conf:
table <adservers> persist

/etc/pf/dynamic/adservers:
cdn.fastclick.net
ad.doubleclick.net
# etc etc

/usr/local/etc/rc.d/pf_dyntables:

#!/bin/sh
#
# PROVIDE: pf_dyntables
# REQUIRE: named pf ppp

. /etc/rc.subr

name="pf_dyntables"
rcvar=`set_rcvar`
start_cmd="${name}_start"
stop_cmd=":"

load_rc_config $name

: ${pf_dyntables_enable="NO"}
: ${pf_dyntables_dir="/etc/pf/dynamic"}
: ${pf_dyntables_list="NONE"}

pf_dyntables_start()
{
   if test x"${pf_dyntables_list}" != x"NONE"; then
      for table in ${pf_dyntables_list}; do
         echo "Loading table <$table>"
         cat ${pf_dyntables_dir}/${table} |/usr/bin/xargs \
            ${pf_program} -t ${table} -Tadd
      done
   else
      echo hi
   fi
}

run_rc_command "$1"


-- 
Mel

Problem with today's modular software: they start with the modules
    and never get to the software part.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200805072028.51152.fbsd.questions>