fbsd 6.2 pf starts -- but not on boot
Volker
volker at vwsoft.com
Wed Jun 6 09:48:29 UTC 2007
David,
On 06/06/07 01:44, David DeSimone wrote:
> Volker <volker at vwsoft.com> wrote:
>> pass in on bla0 from any to bla0
>
>> which will all require pf to get the interface's IP address and all
>> will fail if that interface does not yet exist...
>
> Ah, here you are correct, but the reasons are subtle: The above rule
> will fail to load because "bla0" cannot be matched as an interface name,
> therefore it will be looked up as a hostname, and if DNS/hosts cannot
> resolve it to an IP, the ruleset will fail to load. Not because the
> interface doesn't exist, but because the interface name gets confused
> for a hostname.
agreed. With my words, that interface does not exist, so pf can't get
it's IP address but your writing is probably the better and
technically correct (I didn't look for this specific detail in the
sources whether pf really tries to resolve that as a hostname using a
gethostbyname call).
> If, instead, you use the dynamic form of the rule:
>
> pass in on bla0 from any to (bla0)
>
> This succeeds in loading. The rule will cause bla0 to be checked for
> existence whenever the rule is matched, and the IP for the interface
> will be looked up at rule-eval time, and it should do what is needed.
>
> Since the "on bla0" clause should fail to match as long as there is no
> such interface, this should work fine.
OK, I've forgotten to write about run time evaluation of rules.
Probably I should stop spamming this list if not writing about every
possibility.
>> The case becomes more worst if the interface DOES exist but still has
>> no IP address (read this as a big fat warning). When using a rule like
>
>> pass in on bla0 from any to bla0
>
>> but the interface bla0 does not have an IP address, pf will parse this as
>> 'pass in on bla0 from 0.0.0.0/0 to 0.0.0.0/0'
>
> Hmm, I am not able to demonstrate this. When I perform the above, I get
> the following warning from pfctl (here using one of my existing IP-less
> interfaces, dc1):
>
> no IP address found for dc1
> pf.conf:68: could not parse host specification
> pfctl: Syntax error in config file: pf rules not loaded
>
> Nevertheless, a rule like "pass in on dc1 from any to dc1" would
> certainly pass all traffic in, so it seems like even THAT is a wide-open
> rule. Also, if dc1 has no IP, then it is not likely to be receiving
> traffic (it will not answer ARP), so the "on dc1" clause is not likely
> to match.
>
> You are correct that there are cases where the existence of an interface
> can affect whether a ruleset will load. However, the use of dynamic IP
> syntax (which seems a "best practice" in my mind, anyway) seems to avoid
> this condition nicely, among the other benefits it provides.
Also I've forgotten to write about altq. If an interface does not yet
exist, pf fails to load rules when trying to use altq queueing. That
will give a 'SIOCGIFMTU device not configured' error message.
And using 'set loginterface ...' on not-yet existing interfaces will
give an error. The cause of problems like these are manifold but all
are caused by a not yet existing interface on load time. Some can
surely cleanly be worked around.
Sorry if not being totally technical correct and not checking with the
sources in my postings sometimes and sorry for not writing about every
possible cause of a problem every time. As a first shot, I'll most
likely hit the most likely causes.
Volker
More information about the freebsd-pf
mailing list