From owner-freebsd-pf@FreeBSD.ORG Fri Apr 6 21:30:09 2007 Return-Path: X-Original-To: freebsd-pf@hub.freebsd.org Delivered-To: freebsd-pf@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B167B16A401 for ; Fri, 6 Apr 2007 21:30:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 5D48013C500 for ; Fri, 6 Apr 2007 21:30:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l36LU9k2012876 for ; Fri, 6 Apr 2007 21:30:09 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l36LU9F8012873; Fri, 6 Apr 2007 21:30:09 GMT (envelope-from gnats) Date: Fri, 6 Apr 2007 21:30:09 GMT Message-Id: <200704062130.l36LU9F8012873@freefall.freebsd.org> To: freebsd-pf@FreeBSD.org From: Giorgos Keramidas Cc: Subject: Re: conf/111225: missing option "syncpeer" in pfsync startup script X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Giorgos Keramidas List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Apr 2007 21:30:09 -0000 The following reply was made to PR conf/111225; it has been noted by GNATS. From: Giorgos Keramidas To: Bas van Beek Cc: freebsd-gnats-submit@freebsd.org Subject: Re: conf/111225: missing option "syncpeer" in pfsync startup script Date: Sat, 7 Apr 2007 00:24:55 +0300 > From: Giorgos Keramidas > To: Bas van Beek > Cc: freebsd-gnats-submit@freebsd.org > Subject: conf/111225: Re: conf/111225: missing option "syncpeer" in pfsync startup script > Date: Fri, 6 Apr 2007 04:47:17 +0300 > > Sounds like a good idea. Does the following patch look like something > we can use to make pfsync_syncpeer="address" work, and document it as an > rc.conf option? > > [ http://people.freebsd.org/~keramida/diff/conf-111225.patch ] The original version of the patch used 'unset' to keep $_syncpeer local, but Simon has pointed me at using "local _syncpeer" since then. I've updated the patch online with: %%% diff -r 7fd2429572a3 etc/rc.d/pfsync --- a/etc/rc.d/pfsync Fri Apr 06 01:25:19 2007 +0300 +++ b/etc/rc.d/pfsync Sat Apr 07 00:22:07 2007 +0300 @@ -36,8 +36,13 @@ pfsync_prestart() pfsync_start() { + local _syncpeer + echo "Enabling pfsync." - ifconfig pfsync0 syncdev $pfsync_syncdev $pfsync_ifconfig up + if [ -n "${pfsync_syncpeer}" ]; then + _syncpeer="syncpeer ${pfsync_syncpeer}" + fi + ifconfig pfsync0 $_syncpeer syncdev $pfsync_syncdev $pfsync_ifconfig up } pfsync_stop() diff -r 7fd2429572a3 share/man/man5/rc.conf.5 --- a/share/man/man5/rc.conf.5 Fri Apr 06 01:25:19 2007 +0300 +++ b/share/man/man5/rc.conf.5 Sat Apr 07 00:22:07 2007 +0300 @@ -855,6 +855,26 @@ It must be set accordingly if .Va pfsync_enable is set to .Dq Li YES . +.It Va pfsync_syncpeer +.Pq Vt str +Empty by default. +This variable is optional. +By default, state change messages are sent out on the synchronisation +interface using IP multicast packets. +The protocol is IP protocol 240, PFSYNC, and the multicast group used is +224.0.0.240. +When a peer address is specified using the +.Va pfsync_syncpeer +option, the peer address is used as a destination for the pfsync +traffic, and the traffic can then be protected using +.Xr ipsec 4 . +See the +.Xr pfsync 4 +manpage for more details about using +.Xr ipsec 4 +with +.Xr pfsync 4 +interfaces. .It Va pfsync_ifconfig .Pq Vt str Empty by default. %%%