rc.d script ordering for net/zerotier & firewalls

[Dave Cottlehuber]

zerotier is a peer-to-peer layer 2 overlay network that creates a tap
interface
for its traffic. In the current net/zerotier port[1], if you want to
define firewall
rules (e.g. pf) that rely on the existence of the zerotier interface, it
will fail on
reboot as the rc.d dependencies aren't sufficient:

# PROVIDE: zerotier
# REQUIRE: LOGIN
# KEYWORD: shutdown

This variant seems to "work on my machine" to manage the dependencies
appropriately, see rcorder(8) output below.

# PROVIDE: zerotier
# REQUIRE: FILESYSTEMS netif
# BEFORE:  pf ipfw
# KEYWORD: shutdown

the intention is that the ordering would be as follows:

1. physical network interfaces are available
2. zerotier's tap interfaces are created via its daemon
3. then firewalls can be started up
4. jails and daemons  (nginx, haproxy etc) can be assigned a zerotier
address

Is there a better way of handling this?

Is there a reason why /pf/ is missing from /etc/rc.d/NETWORKING ?

# PROVIDE: NETWORKING NETWORK
# REQUIRE: netif netwait netoptions routing ppp ipfw stf
# REQUIRE: defaultroute route6d resolv bridge
# REQUIRE: static_arp static_ndp

> rcorder /usr/local/etc/rc.d/* /etc/rc.d/* 
...
/etc/rc.d/hostname
/etc/rc.d/ip6addrctl
/etc/rc.d/netoptions
/etc/rc.d/random
/etc/rc.d/sppp
/etc/rc.d/ipfilter
/etc/rc.d/ipnat
/etc/rc.d/ipfs
/etc/rc.d/serial
/etc/rc.d/iovctl
/etc/rc.d/netif
/etc/rc.d/devd
/etc/rc.d/zfsd
/etc/rc.d/ipsec
/usr/local/etc/rc.d/zerotier
/etc/rc.d/pfsync
/etc/rc.d/pflog
/etc/rc.d/pf
/etc/rc.d/stf
/etc/rc.d/ppp
/etc/rc.d/routing
/etc/rc.d/ipfw
/etc/rc.d/netwait
/etc/rc.d/resolv
/etc/rc.d/local_unbound
/etc/rc.d/nsswitch
/etc/rc.d/routed
/etc/rc.d/rtsold
/etc/rc.d/static_ndp
/etc/rc.d/static_arp
/etc/rc.d/bridge
/etc/rc.d/route6d
/etc/rc.d/defaultroute
/etc/rc.d/NETWORKING
...

A+
Dave

[1]:
https://svnweb.freebsd.org/ports/head/net/zerotier/files/zerotier.in?revision=398568&view=markup