From owner-freebsd-hackers@freebsd.org  Thu Dec 27 11:39:13 2018
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2C641135AB77
 for <freebsd-hackers@mailman.ysv.freebsd.org>;
 Thu, 27 Dec 2018 11:39:13 +0000 (UTC)
 (envelope-from eugen@grosbein.net)
Received: from hz.grosbein.net (hz.grosbein.net [IPv6:2a01:4f8:d12:604::2])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 58E7F6F55E;
 Thu, 27 Dec 2018 11:39:02 +0000 (UTC)
 (envelope-from eugen@grosbein.net)
Received: from eg.sd.rdtc.ru (eg.sd.rdtc.ru [IPv6:2a03:3100:c:13:0:0:0:5])
 by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id wBRBcrRA026832
 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
 Thu, 27 Dec 2018 12:38:53 +0100 (CET)
 (envelope-from eugen@grosbein.net)
X-Envelope-From: eugen@grosbein.net
X-Envelope-To: wjw@digiware.nl
Received: from eg.sd.rdtc.ru (eugen@localhost [127.0.0.1])
 by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTP id wBRBcp1m019906;
 Thu, 27 Dec 2018 18:38:52 +0700 (+07)
 (envelope-from eugen@grosbein.net)
Subject: Re: rcorder for vpn-like tunnels during early rc.d startup
To: Willem Jan Withagen <wjw@digiware.nl>, Craig Leres <leres@freebsd.org>,
 Dave Cottlehuber <dch@skunkwerks.at>, freebsd-hackers@freebsd.org
References: <1545487265.3497867.1616158504.69E513B4@webmail.messagingengine.com>
 <f9a31f17-0e5f-265a-60ac-010e0c16bc22@grosbein.net>
 <b86faac8-9428-7935-6444-a9a1ac032250@freebsd.org>
 <8a8c6e8e-4781-9e03-36cf-b7974cb719bc@grosbein.net>
 <f2d7e351-f895-5f9e-d4fd-d6db34ae5ba4@digiware.nl>
From: Eugene Grosbein <eugen@grosbein.net>
Message-ID: <5C24B9CB.1070800@grosbein.net>
Date: Thu, 27 Dec 2018 18:38:51 +0700
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101
 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <f2d7e351-f895-5f9e-d4fd-d6db34ae5ba4@digiware.nl>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=0.3 required=5.0 tests=BAYES_00,LOCAL_FROM,SPF_PASS
 autolearn=no autolearn_force=no version=3.4.2
X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1%
 *      [score: 0.0000]
 * -0.0 SPF_PASS SPF: sender matches SPF record
 *  2.6 LOCAL_FROM From my domains
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on hz.grosbein.net
X-Rspamd-Queue-Id: 58E7F6F55E
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
 spf=permerror (mx1.freebsd.org: domain of eugen@grosbein.net uses mechanism
 not recognized by this client) smtp.mailfrom=eugen@grosbein.net
X-Spamd-Result: default: False [-4.11 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-0.998,0];
 MX_INVALID(0.50)[greylisted]; FROM_HAS_DN(0.00)[];
 RCPT_COUNT_THREE(0.00)[4]; TO_DN_SOME(0.00)[];
 NEURAL_HAM_LONG(-1.00)[-0.999,0]; MIME_GOOD(-0.10)[text/plain];
 RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[grosbein.net];
 RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[];
 R_SPF_PERMFAIL(0.00)[]; NEURAL_HAM_SHORT(-0.87)[-0.875,0];
 IP_SCORE(-1.64)[ip: (-2.93), ipnet: 2a01:4f8::/29(-2.80), asn: 24940(-2.44),
 country: DE(-0.01)]; FROM_EQ_ENVFROM(0.00)[];
 R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE];
 MID_RHS_MATCH_FROM(0.00)[]
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Dec 2018 11:39:13 -0000

On 27.12.2018 18:09, Willem Jan Withagen wrote:

> Might want to use the ifup/ifdown scripts to add the specifics for the 
> VPN that just came up. Tricky part is how to get things in the tables at 
> the right place.
> 
> So with IPFW I use specific line numbers reserved to insert certain 
> rules. (using counter rules to split the fw code into blocks)
> 
> But it sort of feels like going back in the 80's basic programming.

Current ipfw implementation allows you to use 'tun*' or table containing interface names:

ipfw table NAME create type iface 
ipfw add 2000 allow ip from any to any via 'table(NAME)'

ipfw table NAME add tap0
ipfw table NAME add tun0

Note you do not have to change ruleset at all; you add or delete table records only.