On 18/08/2015 14:55, wishmaster wrote: > --- Original message --- > From: "Andriy Gapon" <a...@freebsd.org> > Date: 18 August 2015, 14:35:36 > > > >> On 18/08/2015 14:18, wishmaster wrote: >>> --- Original message --- >>> From: "Andriy Gapon" >>> Date: 18 August 2015, 14:05:15 >>> >>> >>>> I have the following rule in pf.conf: >>>> set skip on tap >>>> and even the following one: >>>> set skip on tap0 >>>> >>>> The rules are loaded at the system start-up time, but the tap interface >>>> may not be created until much later. When tap0 is first created the >>>> skip rules are not applied to it and the traffic gets filtered. If I >>>> reload the pf configuration, then the rules start working. >>>> >>>> Is there a way to make pf honor such rules for the dynamic interfaces?Hi, >>> >>> You should do it in your application, e.g. in mpd this is something like >>> below >>> >>> set iface up-script /usr/local/etc/mpd5/link_up.sh >>> set iface down-script /usr/local/etc/mpd5/link_down.sh >>> >>> in openvpn - see manuals. >> >> That's a good suggestion. But how to add a single rule for pf? >> Reloading the whole configuration is disruptive to existing connections. > > > Use anchors.
Thank you for the hint! > Small example: > > # VPN Interface Up Script > # > # Script is called like this: > # > # script interface proto local-ip remote-ip authname > # $1 $2 $3 $4 $5 > # > > anchor "ng-int/*" > > # less if-up.sh > #!/bin/sh > echo "pass quick on $1 all" | pfctl -a ng-int/$1 -f - > > # less if-down.sh > #!/bin/sh > pfctl -a ng-int/$1 -F rules > > > > -- Andriy Gapon _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
