Delaying pf.conf loading

[Justin Jereza]

That ought to work. Thanks! :-)

On Thu, May 8, 2008 at 2:28 AM, Mel <fbsd.questions at rachie.is-a-geek.net> wrote:
>
> On Wednesday 07 May 2008 19:21:22 Justin Jereza wrote:
>  > Hello.
>  >
>  > Is it possible to delay the loading of pf rules from pf.conf after ppp
>  > has connected and named is running through rc.conf?
>
>  No, the design of the rc system does not allow for rc.conf to alter the order
>  of the scripts executed, since rc.conf is loaded on a per-script basis and
>  the ordering is done based on 'comments' in the scripts themselves.
>
>  You can however, load an empty table with the appropreate name, then create an
>  rc script in /usr/local/etc/rc.d/ that fills the table with hostnames to
>  solve your problem.
>
>  Here's an example:
>
>  /etc/rc.conf:
>  pf_dyntables_enable="YES"
>  pf_dyntables_list="adservers"
>
>  /etc/pf.conf:
>  table <adservers> persist
>
>  /etc/pf/dynamic/adservers:
>  cdn.fastclick.net
>  ad.doubleclick.net
>  # etc etc
>
>  /usr/local/etc/rc.d/pf_dyntables:
>
>  #!/bin/sh
>  #
>  # PROVIDE: pf_dyntables
>  # REQUIRE: named pf ppp
>
>  . /etc/rc.subr
>
>  name="pf_dyntables"
>  rcvar=`set_rcvar`
>  start_cmd="${name}_start"
>  stop_cmd=":"
>
>  load_rc_config $name
>
>  : ${pf_dyntables_enable="NO"}
>  : ${pf_dyntables_dir="/etc/pf/dynamic"}
>  : ${pf_dyntables_list="NONE"}
>
>  pf_dyntables_start()
>  {
>    if test x"${pf_dyntables_list}" != x"NONE"; then
>       for table in ${pf_dyntables_list}; do
>          echo "Loading table <$table>"
>          cat ${pf_dyntables_dir}/${table} |/usr/bin/xargs \
>             ${pf_program} -t ${table} -Tadd
>       done
>    else
>       echo hi
>    fi
>  }
>
>  run_rc_command "$1"
>
>
>  --
>  Mel
>
>  Problem with today's modular software: they start with the modules
>     and never get to the software part.
>