From owner-freebsd-pf@freebsd.org Mon Jul 2 14:44:35 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DEE33102BBD8 for ; Mon, 2 Jul 2018 14:44:35 +0000 (UTC) (envelope-from fjo-lists@ogris.de) Received: from box2.ogris.net (box2.ogris.net [IPv6:2a03:4000:6:2157::1]) by mx1.freebsd.org (Postfix) with ESMTP id 82B638BF0D for ; Mon, 2 Jul 2018 14:44:35 +0000 (UTC) (envelope-from fjo-lists@ogris.de) Received: from hf-mac-fjo-002.dts-systeme.intra (unknown [81.89.251.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by box2.ogris.net (Postfix) with ESMTPSA id 433C65983D for ; Mon, 2 Jul 2018 16:44:33 +0200 (CEST) From: "Felix J. Ogris" Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 11.4 \(3445.8.2\)) Subject: pf reload/resync and skipped interface groups on 11.2-RELEASE Message-Id: <51A8A900-32B4-47A0-99D9-F02B31D2C735@ogris.de> Date: Mon, 2 Jul 2018 16:44:32 +0200 To: freebsd-pf@freebsd.org X-Mailer: Apple Mail (2.3445.8.2) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jul 2018 14:44:36 -0000 Hi, this is a fresh install of 11.2-RELEASE amd64 with a minimal pf rule = set. After the first reload/resync, any traffic on an interface that is = skipped via an interface group statement in pf.conf is rejected: root@fbsd:~ # ping 127.0.0.1 PING 127.0.0.1 (127.0.0.1): 56 data bytes 64 bytes from 127.0.0.1: icmp_seq=3D0 ttl=3D64 time=3D0.038 ms ^C --- 127.0.0.1 ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev =3D 0.038/0.038/0.038/0.000 ms root@fbsd:~ # service pf reload Reloading pf rules. root@fbsd:~ # ping 127.0.0.1 PING 127.0.0.1 (127.0.0.1): 56 data bytes ping: sendto: Permission denied ping: sendto: Permission denied ^C --- 127.0.0.1 ping statistics --- 2 packets transmitted, 0 packets received, 100.0% packet loss A second reload restores the expected behaviour: root@fbsd:~ # service pf reload Reloading pf rules. root@fbsd:~ # ping 127.0.0.1 PING 127.0.0.1 (127.0.0.1): 56 data bytes 64 bytes from 127.0.0.1: icmp_seq=3D0 ttl=3D64 time=3D0.021 ms ^C --- 127.0.0.1 ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev =3D 0.021/0.021/0.021/0.000 ms My /etc/pf.conf: root@fbsd:~ # cat /etc/pf.conf set skip on lo block pass in inet proto tcp to port 22 Active rule set in either case: root@fbsd:~ # pfctl -s rules block drop all pass in inet proto tcp from any to any port =3D ssh flags S/SA keep = state If i change =E2=80=9Cset skip on lo=E2=80=9D to =E2=80=9Cset skip on = lo0=E2=80=9D in /etc/pf.conf, reload behaves fine. /etc/rc.d/ppp does a =E2=80=9C/etc/rc.d/pf quietresync=E2=80=9D in its = poststart() routine. BR, Felix=