Re: impossible rc.d ordering problem with stf and pf ?

From: Richard Coleman <rcoleman@xxxxxxxxxxxxxxxxx>
Date: Sun, 28 Jan 2007 10:33:41 -0500

Bruce M. Simpson wrote:

Pete French wrote:
Am trying to solve a little problem with 'pf'. I have a ruleset which
has some firewall rules for the IPv6 interface stf0. This works fine,
except when I rreboot the machine, as the pf script is run before the
network_ipv6 script - so stf0 does not exist. but I cannot work out
how to arrange for stf0 to be created before the pf script is run - as
network_ipv6 requires 'routing', but the pf script says it must be run
before 'routing', if I am reading the 'REQUIRE' and 'BEFORE' lines
correctly.

Just chiming in to confirm that this problem definitely exists.
I don't have a solution, however, my IPv6 tunnels at home have all expired, so I may well get spare cycles to look at this the same time that I get spare cycles to revive the tunnels.

BMS

Essentially the same problem exists with pf and ppp. The tun device (on which most of my pf rules depend) does not yet exist when pf is started.

Apparently, someone has looked at this before, since there are commands to resync pf and ipf inside the rc.d script for ppp (in ppp_postcmd). But this still doesn't work, since ppp is still negotiating the connection when this function is run, so pf fails a second time. My solution was to jam a "sleep 15" inside ppp_postcmd() right before the point the commands to reload pf and ipf are run. It's major ugly, but it works. Hopefully someone will find a better solution to these problems.

Richard Coleman
rcoleman@xxxxxxxxxxxxxxxxx
_______________________________________________
freebsd-stable@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@xxxxxxxxxxx"

Follow-Ups:
- Re: impossible rc.d ordering problem with stf and pf ?
  - From: Max Laier

References:
- impossible rc.d ordering problem with stf and pf ?
  - From: Pete French
- Re: impossible rc.d ordering problem with stf and pf ?
  - From: Bruce M. Simpson

Prev by Date: Re: rd.d/power_profile: dev.cpu.0.cx_supported doesn't exist
Next by Date: Re: impossible rc.d ordering problem with stf and pf ?
Previous by thread: Re: impossible rc.d ordering problem with stf and pf ?
Next by thread: Re: impossible rc.d ordering problem with stf and pf ?
Index(es):
- Date
- Thread

Relevant Pages

Re: impossible rc.d ordering problem with stf and pf ?
... which has some firewall rules for the IPv6 interface stf0. ... run before the network_ipv6 script - so stf0 does not exist. ... I did do some initial patches to tear down altq on interface ...
(freebsd-stable)
Re: impossible rc.d ordering problem with stf and pf ?
... which has some firewall rules for the IPv6 interface stf0. ... run before the network_ipv6 script - so stf0 does not exist. ... You use the interface name as address w/o dynamic lookup. ...
(freebsd-stable)
Re: impossible rc.d ordering problem with stf and pf ?
... has some firewall rules for the IPv6 interface stf0. ... network_ipv6 script - so stf0 does not exist. ... I don't have a solution, however, my IPv6 tunnels at home have all expired, so I may well get spare cycles to look at this the same time that I get spare cycles to revive the tunnels. ...
(freebsd-stable)
impossible rc.d ordering problem with stf and pf ?
... has some firewall rules for the IPv6 interface stf0. ... network_ipv6 script - so stf0 does not exist. ... network_ipv6 requires 'routing', but the pf script says it must be run ...
(freebsd-stable)
Re: impossible rc.d ordering problem with stf and pf ?
... has some firewall rules for the IPv6 interface stf0. ... network_ipv6 script - so stf0 does not exist. ... but you may create your own pf loading script and place it ...
(freebsd-stable)