From owner-freebsd-rc@FreeBSD.ORG Thu Nov 6 13:12:29 2008 Return-Path: Delivered-To: freebsd-rc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C4C541065674; Thu, 6 Nov 2008 13:12:29 +0000 (UTC) (envelope-from gert@kirk.greenie.muc.de) Received: from kirk.greenie.muc.de (kirk.greenie.muc.de [193.149.48.167]) by mx1.freebsd.org (Postfix) with ESMTP id 490D28FC21; Thu, 6 Nov 2008 13:12:28 +0000 (UTC) (envelope-from gert@kirk.greenie.muc.de) Received: from kirk.greenie.muc.de (localhost [127.0.0.1]) by kirk.greenie.muc.de (8.14.1/8.12.11) with ESMTP id mA6CuiSG002143 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 6 Nov 2008 13:56:44 +0100 (CET) Received: (from gert@localhost) by kirk.greenie.muc.de (8.14.1/8.12.10/Submit) id mA6CuiiM025230; Thu, 6 Nov 2008 13:56:44 +0100 (CET) Date: Thu, 6 Nov 2008 13:56:44 +0100 From: Gert Doering To: freebsd-rc@freebsd.org Message-ID: <20081106125643.GG8535@greenie.muc.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.3i X-mgetty-docs: http://mgetty.greenie.net/ X-Greylist: Sender is SPF-compliant, not delayed by milter-greylist-4.0 (kirk.greenie.muc.de [127.0.0.1]); Thu, 06 Nov 2008 13:56:45 +0100 (CET) Cc: bz@freebsd.org, gert@space.net Subject: rcorder pf vs. network_ipv6 on 6.3-RELEASE X-BeenThere: freebsd-rc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion related to /etc/rc.d design and implementation." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Nov 2008 13:12:29 -0000 Hi, (bear with me, I'm normally not working on that part of the system, and I'm normally not subscribed to this list - so if I violate any sort of netiquette, I'm sorry for it). I ran into a problem with one of our FreeBSD 6.3-RELEASE machines today, and checking 7.0-RELEASE, the problem is similar over there. The issue I have is that /etc/rc.d/pf is run *before* /etc/rc.d/network_ipv6 (because network_ipv6 demands so). pf: # PROVIDE: pf # REQUIRE: root FILESYSTEMS netif pflog pfsync # BEFORE: routing network_ipv6: # PROVIDE: network_ipv6 # REQUIRE: routing The problem comes up if you have pf(4) IPv6 rules that tack to an interface, as in: pass in on $ext_if proto tcp from any to $ext_if port 443 keep state if that rule is loaded *before* the interface gets configured, pf will not re-sync afterwards, so the firewall rule is ignored. It can be worked around by putting "to ($ext_if)" into the pf(4) rules, but there might be circumstances where this is not desirable ("if the address changes, this is exceptional circumstances and we want to know!"), and the current boot order takes away the decision from the user how to write his pf(4) rules. I tried to change the PROVIDE/REQUIRE/BEFORE statements in "pf" and "network_ipv6" to force execution of network_ipv6 before pf, but failed (rcorder complains about circular dependencies and I can't see why). So I'm handing this problem to you guys - please consider whether this should be changed (execute all IP configuration before all firewall stuff), and if yes, how to do it "right". thanks, gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert@greenie.muc.de fax: +49-89-35655025 gert@net.informatik.tu-muenchen.de