pf reload/resync and skipped interface groups on 11.2-RELEASE

[Felix J. Ogris]

Hi,

this is a fresh install of 11.2-RELEASE amd64 with a minimal pf rule set. After the first reload/resync, any traffic on an interface that is skipped via an interface group statement in pf.conf is rejected:

root at fbsd:~ # ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.038 ms
^C
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.038/0.038/0.038/0.000 ms

root at fbsd:~ # service pf reload
Reloading pf rules.

root at fbsd:~ # ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1): 56 data bytes
ping: sendto: Permission denied
ping: sendto: Permission denied
^C
--- 127.0.0.1 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss

A second reload restores the expected behaviour:

root at fbsd:~ # service pf reload
Reloading pf rules.

root at fbsd:~ # ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.021 ms
^C
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.021/0.021/0.021/0.000 ms


My /etc/pf.conf:

root at fbsd:~ # cat /etc/pf.conf
set skip on lo
block
pass in inet proto tcp to port 22

Active rule set in either case:

root at fbsd:~ # pfctl -s rules
block drop all
pass in inet proto tcp from any to any port = ssh flags S/SA keep state


If i change “set skip on lo” to “set skip on lo0” in /etc/pf.conf, reload behaves fine.
/etc/rc.d/ppp does a “/etc/rc.d/pf quietresync” in its poststart() routine.

BR,
Felix