pf and new interface
Andriy Gapon
avg at FreeBSD.org
Tue Aug 18 12:52:09 UTC 2015
On 18/08/2015 14:55, wishmaster wrote:
> --- Original message ---
> From: "Andriy Gapon" <avg at freebsd.org>
> Date: 18 August 2015, 14:35:36
>
>
>
>> On 18/08/2015 14:18, wishmaster wrote:
>>> --- Original message ---
>>> From: "Andriy Gapon"
>>> Date: 18 August 2015, 14:05:15
>>>
>>>
>>>> I have the following rule in pf.conf:
>>>> set skip on tap
>>>> and even the following one:
>>>> set skip on tap0
>>>>
>>>> The rules are loaded at the system start-up time, but the tap interface
>>>> may not be created until much later. When tap0 is first created the
>>>> skip rules are not applied to it and the traffic gets filtered. If I
>>>> reload the pf configuration, then the rules start working.
>>>>
>>>> Is there a way to make pf honor such rules for the dynamic interfaces?Hi,
>>>
>>> You should do it in your application, e.g. in mpd this is something like below
>>>
>>> set iface up-script /usr/local/etc/mpd5/link_up.sh
>>> set iface down-script /usr/local/etc/mpd5/link_down.sh
>>>
>>> in openvpn - see manuals.
>>
>> That's a good suggestion. But how to add a single rule for pf?
>> Reloading the whole configuration is disruptive to existing connections.
>
>
> Use anchors.
Thank you for the hint!
> Small example:
>
> # VPN Interface Up Script
> #
> # Script is called like this:
> #
> # script interface proto local-ip remote-ip authname
> # $1 $2 $3 $4 $5
> #
>
> anchor "ng-int/*"
>
> # less if-up.sh
> #!/bin/sh
> echo "pass quick on $1 all" | pfctl -a ng-int/$1 -f -
>
> # less if-down.sh
> #!/bin/sh
> pfctl -a ng-int/$1 -F rules
>
>
>
>
--
Andriy Gapon
More information about the freebsd-net
mailing list