Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 18 Nov 2008 21:19:32 +0000 (UTC)
From:      "Bjoern A. Zeeb" <bz@FreeBSD.org>
To:        Gert Doering <gert@greenie.muc.de>
Cc:        freebsd-rc@freebsd.org, gert@space.net
Subject:   Re: rcorder pf vs. network_ipv6 on 6.3-RELEASE
Message-ID:  <20081118211827.O61259@maildrop.int.zabbadoz.net>
In-Reply-To: <20081106125643.GG8535@greenie.muc.de>
References:  <20081106125643.GG8535@greenie.muc.de>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, 6 Nov 2008, Gert Doering wrote:

Hi,

> (bear with me, I'm normally not working on that part of the system, and
> I'm normally not subscribed to this list - so if I violate any sort of
> netiquette, I'm sorry for it).
>
> I ran into a problem with one of our FreeBSD 6.3-RELEASE machines today,
> and checking 7.0-RELEASE, the problem is similar over there.
>
> The issue I have is that /etc/rc.d/pf is run *before* /etc/rc.d/network_ipv6
> (because network_ipv6 demands so).
>
> pf:
>
> # PROVIDE: pf
> # REQUIRE: root FILESYSTEMS netif pflog pfsync
> # BEFORE:  routing
>
> network_ipv6:
>
> # PROVIDE: network_ipv6
> # REQUIRE: routing
>
> The problem comes up if you have pf(4) IPv6 rules that tack to an interface,
> as in:
>
>  pass in on $ext_if proto tcp from any     to $ext_if port 443 keep state
>
> if that rule is loaded *before* the interface gets configured, pf will
> not re-sync afterwards, so the firewall rule is ignored.
>
>
> It can be worked around by putting "to ($ext_if)" into the pf(4) rules,
> but there might be circumstances where this is not desirable ("if the
> address changes, this is exceptional circumstances and we want to know!"),
> and the current boot order takes away the decision from the user how
> to write his pf(4) rules.
>
>
> I tried to change the PROVIDE/REQUIRE/BEFORE statements in "pf" and
> "network_ipv6" to force execution of network_ipv6 before pf, but failed
> (rcorder complains about circular dependencies and I can't see why).
>
> So I'm handing this problem to you guys - please consider whether this
> should be changed (execute all IP configuration before all firewall stuff),
> and if yes, how to do it "right".
>
> thanks,
>
> gert
>


Is freebsd-rc@ alive and could anyone with sufficient rc-foo look at
this?


/bz

-- 
Bjoern A. Zeeb              Stop bit received. Insert coin for new game.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081118211827.O61259>