[PATCH] "/etc/rc.d/pf reload" fails if there are macros defined in pf_flags rcvar.

Niki Denev nike_d at cytexbg.com
Thu Jan 31 11:40:26 PST 2008 

On Jan 21, 2008 11:26 PM, Niki Denev <nike_d at cytexbg.com> wrote:
>
> On Jan 21, 2008 11:42 AM, Niki Denev <nike_d at cytexbg.com> wrote:
> > Hi,
> >
> > I'm using the pf_flags rc var to set macros for pf.conf files i use in
> > redundant router configuration.
> > This way i can have exactly the same pf.conf on all of the routers,
> > and still set host specific
> > options as "hostid" used by pfsync via rc.conf
> > The problem is that when i use "/etc/rc.d/pf reload" to reload the rules,
> > the rc.d/pf script first executes pfctl with -n option to check the
> > pf.conf syntax, but fails to include
> > the $pf_flags var, and fails because of undefined macros.
> > The following patch fixed this for me.
> >
> > --- pf.orig     2008-01-21 11:18:27.000000000 +0200
> > +++ pf  2008-01-21 11:29:56.000000000 +0200
> > @@ -50,7 +50,7 @@
> >  pf_reload()
> >  {
> >        echo "Reloading pf rules."
> > -       $pf_program -n -f "$pf_rules" || return 1
> > +       $pf_program -n -f "$pf_rules" $pf_flags || return 1
> >        # Flush everything but existing state entries that way when
> >        # rules are read in, it doesn't break established connections.
> >        $pf_program -Fnat -Fqueue -Frules -FSources -Finfo -FTables
> > -Fosfp > /dev/null 2>&1
> >
> >
> >
> > --
> > Niki
> >
>
> Just filed under misc/119874
>

The patch in the PR is incomplete, this one adds $pf_flags also to pf_check() :

--- pf.orig     2008-01-31 21:30:33.000000000 +0200
+++ pf  2008-01-31 21:34:23.000000000 +0200
@@ -44,13 +44,13 @@
 pf_check()
 {
        echo "Checking pf rules."
-       $pf_program -n -f "$pf_rules"
+       $pf_program -n -f "$pf_rules" $pf_flags
 }

 pf_reload()
 {
        echo "Reloading pf rules."
-       $pf_program -n -f "$pf_rules" || return 1
+       $pf_program -n -f "$pf_rules" $pf_flags || return 1
        # Flush everything but existing state entries that way when
        # rules are read in, it doesn't break established connections.
        $pf_program -Fnat -Fqueue -Frules -FSources -Finfo -FTables
-Fosfp > /dev/null 2>&1


--
Niki

More information about the freebsd-net mailing list