On 2019-12-07, Atanas Vladimirov <[email protected]> wrote:
> Bridge0 is my primary lan network where the VMs are connected and the
> only interface that is configured with dhclient is em0 which is not part
> of any bridge.
The dhclient caveat doesn't apply to you then.
> And in /etc/pf.conf
>
> ```
> set skip on { lo, enc0, em1, em2, em3, em4, em5, gif0, tap }
> ```
> i.e. the filtering is happening only on the em0 and vether interfaces.
>
> The problem is that the VM doesn't lease anything from the DHCP server
> (dhcpd_flags=vether0) until I reload the pf rules with `pfctl -f
> /etc/pf.conf`.
> If I set the IP address on the guest manually - it works without
> reloading the pf.
>
> Please confirm if this behavior is expected because it's not getting
> very clear from the FAQ.
Yes this is expected. The tap interface isn't created until the vm is
started, so this from pf.conf(5) applies:
set skip on ifspec
[...]
ifspec is
only evaluated when the ruleset is loaded; interfaces created later
will not be skipped. PF filters traffic on all interfaces by
default.
If you change to a standard "pass" rule that will evaluate the interface
group at runtime rather than load time, which is what you want here.
Things can get complicated with PF and bridges, but I think something like
"pass quick on tap flags any no state" near the start of your rules will
probably do what you want.
