pf starts before network_ipv6 ?

[Matthew Seaman]

Hmmm.... pf(4) is started before IPv6 addresses are configured on
interfaces.

lucid-nonsense:~:% rcorder /etc/rc.d/* | grep -A 3 '/pf$'
/etc/rc.d/pf
/etc/rc.d/ppp
/etc/rc.d/routing
/etc/rc.d/network_ipv6

I can see that starting pf before configuring routing is desirable, and
there is code in network_ipv6 that is routing dependent, but configuring
IPv6 addresses on interfaces during network_ipv6 and after pf has
started means /etc/pf.conf will frequently evaluate to a different set
of rules on boot than it will if pf.conf is reloaded during normal runtime.

Eg. when pf starts, there's generally only a link-local IPv6 address
configured on the interface, so in pf rules like:

pass in on $ext_if proto tcp              \
     from any to $ext_if port ssh         \
     flags S/SA keep state                \
     (max-src-conn-rate 3/30, overload <ssh-bruteforce> flush global)

the $ext_if in line 2 doesn't expand to include the usual routable IPv6
address of the interface, and the ssh bruteforce blocking function here
will be ineffectual.  This seems so obviously wrong to me, that I must
be missing something?

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew at infracaninophile.co.uk               Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-rc/attachments/20110606/9f2a606d/signature.pgp