Kian Mohageri wrote:
I can't speak for ipfw, but removing the
REQUIRE: netif for pf might break some setups where the ruleset
references a cloned interface that netif creates. Correct me if I'm wrong?
Loading a minimal ruleset initially (as OpenBSD and NetBSD do) would
solve that problem, at least for pf. The idea has been discussed a few
times before but I didn't see it go anywhere.
That's because no one who uses pf (and therefore cares sufficiently
about the issue) has stepped up to do the work. Q.E.D. I don't know pf
from a hole in the ground, and I'm not going to develop and commit a
fundamentally different way of doing things for it that I can't test,
and therefore will have no confidence that it's been done correctly.
That said, if the issues of needing to resolve hostnames and set up
rules for cloned interfaces are a universal problem (and it seems that
they are) then perhaps rather than customizing a solution for pf it
might be worthwhile to have a more generic "firewalls_late" script
that performs the appropriate actions regardless of what firewalls are
enabled. That way we could add just one rc.d script, and using the new
functionality would be opt-in. Off the top of my head I envision
something like:
if [ checkyesno $firewall_enable -a -n "$firewall_rules_late" ]; then
# do stuff specific to ipfw
fi
if [ checkyesno $ipfilter_enable -a -n "$ipfilter_rules_late" ]; then
...
Comments? That's something that I would feel comfortable developing
and committing, since it would be opt-in, and others more
knowledgeable than I could jump in and run with it for a while before
we considered MFC'ing it (if doing that would be appropriate at all,
and I'm not sure that it would be).
OTOH, perhaps if we just move everything (and therefore break things
in the manner you described) it will motivate someone to do the work.
:)
Doug
--
This .signature sanitized for your protection
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
