Date: Fri, 6 Apr 2007 02:10:10 GMT From: Giorgos Keramidas <keramida@freebsd.org> To: freebsd-pf@FreeBSD.org Subject: Re: conf/111225: missing option "syncpeer" in pfsync startup script Message-ID: <200704060210.l362AACg077020@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR conf/111225; it has been noted by GNATS. From: Giorgos Keramidas <keramida@freebsd.org> To: Bas van Beek <bas@tobin.nl> Cc: freebsd-gnats-submit@freebsd.org Subject: Re: conf/111225: missing option "syncpeer" in pfsync startup script Date: Fri, 6 Apr 2007 04:47:17 +0300 On 2007-04-04 13:10, Bas van Beek <bas@tobin.nl> wrote: > A minor update of the pfsync script would allow for this option to be > included in the rc.conf script: > > if [ -z "$pfsync_syncpeer" ] ; then > ifconfig pfsync0 syncdev $pfsync_syncdev $pfsync_ifconfig up > else > ifconfig pfsync0 syncpeer $pfsync_syncpeer syncdev $pfsync_syncdev $pfsync_ifconfig up > fi Sounds like a good idea. Does the following patch look like something we can use to make pfsync_syncpeer="address" work, and document it as an rc.conf option? [ http://people.freebsd.org/~keramida/diff/conf-111225.patch ] %%% diff -r 7fd2429572a3 etc/rc.d/pfsync --- a/etc/rc.d/pfsync Fri Apr 06 01:25:19 2007 +0300 +++ b/etc/rc.d/pfsync Fri Apr 06 04:42:46 2007 +0300 @@ -37,7 +37,11 @@ pfsync_start() pfsync_start() { echo "Enabling pfsync." - ifconfig pfsync0 syncdev $pfsync_syncdev $pfsync_ifconfig up + if [ -n "${pfsync_syncpeer}" ]; then + _syncpeer="syncpeer ${pfsync_syncpeer}" + fi + ifconfig pfsync0 $_syncpeer syncdev $pfsync_syncdev $pfsync_ifconfig up + unset _syncpeer } pfsync_stop() diff -r 7fd2429572a3 share/man/man5/rc.conf.5 --- a/share/man/man5/rc.conf.5 Fri Apr 06 01:25:19 2007 +0300 +++ b/share/man/man5/rc.conf.5 Fri Apr 06 04:42:46 2007 +0300 @@ -855,6 +855,26 @@ It must be set accordingly if .Va pfsync_enable is set to .Dq Li YES . +.It Va pfsync_syncpeer +.Pq Vt str +Empty by default. +This variable is optional. +By default, state change messages are sent out on the synchronisation +interface using IP multicast packets. +The protocol is IP protocol 240, PFSYNC, and the multicast group used is +224.0.0.240. +When a peer address is specified using the +.Va pfsync_syncpeer +option, the peer address is used as a destination for the pfsync +traffic, and the traffic can then be protected using +.Xr ipsec 4 . +See the +.Xr pfsync 4 +manpage for more details about using +.Xr ipsec 4 +with +.Xr pfsync 4 +interfaces. .It Va pfsync_ifconfig .Pq Vt str Empty by default. %%%
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200704060210.l362AACg077020>