From owner-freebsd-questions@FreeBSD.ORG Wed May 7 18:54:45 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 73FE9106566C for ; Wed, 7 May 2008 18:54:45 +0000 (UTC) (envelope-from justinjereza@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.240]) by mx1.freebsd.org (Postfix) with ESMTP id 2EBFE8FC15 for ; Wed, 7 May 2008 18:54:44 +0000 (UTC) (envelope-from justinjereza@gmail.com) Received: by an-out-0708.google.com with SMTP id b33so108945ana.13 for ; Wed, 07 May 2008 11:54:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=iwQVJCVRCC5Uxx7wrK54WunpiNWMu7dN86hT2WWiaXw=; b=cK42DTLvqAgLyxm0lcyItSnW90cvJ5dKV9gL7cTdkGcwiQZeYUyoushRligqTwaPio67Wh8ofHJxYj0zdlDbXoQEdrmpO4l+H5efHsJH4chV2lbFzwrH6++J/jX+rWxLkhDVw1QvbACiHxUJlUAp0ZUPRcqlRv6bmROM9mjcdRQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=XCmj0phsyAiz3Z/cwynBrWZL39czpp+ptFxU0CdOVq/cnsRWu1OkknrgD+nNWF8umdVshzaigZy8QKb9X4IqwSvSQUsVG/UCBv2ZR5bLSIY6WNDhgcZrELh7i8NeeolkmH7lNEeSWWen5vindO3FuC7v5v2+oSdcflEN7mwNkLc= Received: by 10.100.241.17 with SMTP id o17mr3324386anh.4.1210186479726; Wed, 07 May 2008 11:54:39 -0700 (PDT) Received: by 10.100.142.10 with HTTP; Wed, 7 May 2008 11:54:39 -0700 (PDT) Message-ID: <53f591170805071154q21275ffbs53cb8ab57175752e@mail.gmail.com> Date: Thu, 8 May 2008 02:54:39 +0800 From: "Justin Jereza" To: Mel , freebsd-questions@freebsd.org In-Reply-To: <200805072028.51152.fbsd.questions@rachie.is-a-geek.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <53f591170805071021i45f757d3h4558e106a0da7f18@mail.gmail.com> <200805072028.51152.fbsd.questions@rachie.is-a-geek.net> Cc: Subject: Re: Delaying pf.conf loading X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2008 18:54:45 -0000 That ought to work. Thanks! :-) On Thu, May 8, 2008 at 2:28 AM, Mel wrote: > > On Wednesday 07 May 2008 19:21:22 Justin Jereza wrote: > > Hello. > > > > Is it possible to delay the loading of pf rules from pf.conf after ppp > > has connected and named is running through rc.conf? > > No, the design of the rc system does not allow for rc.conf to alter the order > of the scripts executed, since rc.conf is loaded on a per-script basis and > the ordering is done based on 'comments' in the scripts themselves. > > You can however, load an empty table with the appropreate name, then create an > rc script in /usr/local/etc/rc.d/ that fills the table with hostnames to > solve your problem. > > Here's an example: > > /etc/rc.conf: > pf_dyntables_enable="YES" > pf_dyntables_list="adservers" > > /etc/pf.conf: > table persist > > /etc/pf/dynamic/adservers: > cdn.fastclick.net > ad.doubleclick.net > # etc etc > > /usr/local/etc/rc.d/pf_dyntables: > > #!/bin/sh > # > # PROVIDE: pf_dyntables > # REQUIRE: named pf ppp > > . /etc/rc.subr > > name="pf_dyntables" > rcvar=`set_rcvar` > start_cmd="${name}_start" > stop_cmd=":" > > load_rc_config $name > > : ${pf_dyntables_enable="NO"} > : ${pf_dyntables_dir="/etc/pf/dynamic"} > : ${pf_dyntables_list="NONE"} > > pf_dyntables_start() > { > if test x"${pf_dyntables_list}" != x"NONE"; then > for table in ${pf_dyntables_list}; do > echo "Loading table <$table>" > cat ${pf_dyntables_dir}/${table} |/usr/bin/xargs \ > ${pf_program} -t ${table} -Tadd > done > else > echo hi > fi > } > > run_rc_command "$1" > > > -- > Mel > > Problem with today's modular software: they start with the modules > and never get to the software part. >