On Wed, Sep 07, 2016 at 04:33:53PM +0200, Sebastien Marie wrote: > On Wed, Sep 07, 2016 at 01:14:45PM +0200, Sebastien Marie wrote: > > Hi, > > > > I upgraded my laptop (amd64) to latest snapshot, and I experiment odd > > network connectivity. > > > > in resume: > > - ping is ok (lan and internet) > > - udp is ok (lan and internet) - DNS is working > > - tcp isn't working (connect: no route to host) - tested with several > > tools: ssh(1), nc(1), or telnet(1) > > the problem is present for lan and internet addresses. > > > > I finally found the root of the issue: a racy syntax error in my pf.conf > > I used egress:network in a table in /etc/pf.conf. > > Regarding the boot process: > - set really strict pf rules (grep RULES /etc/rc for detail) > outgoing ping is allowed > outgoing DNS is allowed > outgoing tcp for ssh or http is BLOCKED > ... > > (it explains my network situation) > > - enable pf > - sh /etc/netstart > - pfctl -f /etc/pf.conf > > I experimented a race for "egress:network" between netstart and pfctl. > > Some times (not always), pfctl -f /etc/pf.conf exit with error: > no IP address found for egress:network > /etc/pf.conf:15 could not parse host specification > > leaving the system with default rules (which aren't suitable for generic > use). > > I am still unsure how the race occurs, if it is for "egress" interface > group, or for "egress:network" (addresses, not the group). >
just to be complete, my /etc/dhclient.conf has: link-timeout 1; So it could be more easily to dhclient to fork in background unconfigured, and makes pfctl to not see egress interface. -- Sebastien Marie
