From owner-freebsd-questions@FreeBSD.ORG Wed May 7 18:28:54 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 397D4106566B for ; Wed, 7 May 2008 18:28:54 +0000 (UTC) (envelope-from fbsd.questions@rachie.is-a-geek.net) Received: from snoogles.rachie.is-a-geek.net (rachie.is-a-geek.net [66.230.99.27]) by mx1.freebsd.org (Postfix) with ESMTP id 0E7E28FC1F for ; Wed, 7 May 2008 18:28:54 +0000 (UTC) (envelope-from fbsd.questions@rachie.is-a-geek.net) Received: from localhost (localhost [127.0.0.1]) by snoogles.rachie.is-a-geek.net (Postfix) with ESMTP id 290501CD4A; Wed, 7 May 2008 10:28:53 -0800 (AKDT) From: Mel To: freebsd-questions@freebsd.org Date: Wed, 7 May 2008 20:28:50 +0200 User-Agent: KMail/1.9.7 References: <53f591170805071021i45f757d3h4558e106a0da7f18@mail.gmail.com> In-Reply-To: <53f591170805071021i45f757d3h4558e106a0da7f18@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200805072028.51152.fbsd.questions@rachie.is-a-geek.net> Cc: Justin Jereza Subject: Re: Delaying pf.conf loading X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 May 2008 18:28:54 -0000 On Wednesday 07 May 2008 19:21:22 Justin Jereza wrote: > Hello. > > Is it possible to delay the loading of pf rules from pf.conf after ppp > has connected and named is running through rc.conf? No, the design of the rc system does not allow for rc.conf to alter the order of the scripts executed, since rc.conf is loaded on a per-script basis and the ordering is done based on 'comments' in the scripts themselves. You can however, load an empty table with the appropreate name, then create an rc script in /usr/local/etc/rc.d/ that fills the table with hostnames to solve your problem. Here's an example: /etc/rc.conf: pf_dyntables_enable="YES" pf_dyntables_list="adservers" /etc/pf.conf: table persist /etc/pf/dynamic/adservers: cdn.fastclick.net ad.doubleclick.net # etc etc /usr/local/etc/rc.d/pf_dyntables: #!/bin/sh # # PROVIDE: pf_dyntables # REQUIRE: named pf ppp . /etc/rc.subr name="pf_dyntables" rcvar=`set_rcvar` start_cmd="${name}_start" stop_cmd=":" load_rc_config $name : ${pf_dyntables_enable="NO"} : ${pf_dyntables_dir="/etc/pf/dynamic"} : ${pf_dyntables_list="NONE"} pf_dyntables_start() { if test x"${pf_dyntables_list}" != x"NONE"; then for table in ${pf_dyntables_list}; do echo "Loading table <$table>" cat ${pf_dyntables_dir}/${table} |/usr/bin/xargs \ ${pf_program} -t ${table} -Tadd done else echo hi fi } run_rc_command "$1" -- Mel Problem with today's modular software: they start with the modules and never get to the software part.