Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 29 Jan 2007 17:23:41 +0100
From:      Max Laier <max@love2party.net>
To:        Pete French <petefrench@ticketswitch.com>
Cc:        bms@freebsd.org, freebsd-stable@freebsd.org, rcoleman@criticalmagic.com
Subject:   Re: impossible rc.d ordering problem with stf and pf ?
Message-ID:  <200701291723.52074.max@love2party.net>
In-Reply-To: <E1HBVDo-0008WW-Fe@dilbert.ticketswitch.com>
References:  <E1HBVDo-0008WW-Fe@dilbert.ticketswitch.com>

next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart2993517.5KRqd8aUqD
Content-Type: text/plain;
  charset="iso-8859-6"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Monday 29 January 2007 13:02, Pete French wrote:
> > 1) You use the interface name as address w/o dynamic lookup.
> > i.e. "... from stf0 ..."
>
> Yes, thats it - I hadn't come across this 'dynamic lookup' thing before
> though, so I didn't realise what it was. I still cant find it in the PF
> manual, aside from a reference that you need to do it for NAT.
>
> > To 1 and 2 there is a simple sollution: Don't do that then!  1 can
> > easily=3D20 be defused by adding parentheses. i.e. "... from (stf0)
> > ...".
>
> 	pass out on (stf0) inet6 from any to any keep state

No, that's a misunderstanding.  The "on ifnX" part stays untouched.

> Gives me a syntax error when I try and load it with pfctl. If I change
> it to:
>
> 	pass out on stf0 inet6 from any to any keep state
>
> Then it works loading it with pfctl, but now does not work at boot due
> to the lack of stf0 interface. :-(

That's strange.  Works here without a problem:

# ifconfig -l
fxp0 bge0 bge1 lo0 pflog0

No stf0 interface.

# echo "pass out on stf0 inet6 from any to any keep state" | pfctl -vf-
pass out on stf0 inet6 all keep state

Still, rule loaded without problems ...

The "(ifnX)" syntax is only for places where you use the interface as an=20
address.  The "on ifnX" part stays unchanged in any case and it does not=20
matter if the interface exists already or not.

What version are you using again?  My tests are with 6.2

=2D-=20
/"\  Best regards,                      | mlaier@freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

--nextPart2993517.5KRqd8aUqD
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)

iD8DBQBFvh+YXyyEoT62BG0RAjg/AJwLBiMSJABudU1HKYPYTb+VaKChiwCgghlm
s8JJOSme8bsYsnDhBbVSblA=
=Y9VW
-----END PGP SIGNATURE-----

--nextPart2993517.5KRqd8aUqD--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200701291723.52074.max>