--- Original message --- From: "Andriy Gapon" <a...@freebsd.org> Date: 18 August 2015, 14:35:36
> On 18/08/2015 14:18, wishmaster wrote: > > --- Original message --- > > From: "Andriy Gapon" > > Date: 18 August 2015, 14:05:15 > > > > > >> I have the following rule in pf.conf: > >> set skip on tap > >> and even the following one: > >> set skip on tap0 > >> > >> The rules are loaded at the system start-up time, but the tap interface > >> may not be created until much later. When tap0 is first created the > >> skip rules are not applied to it and the traffic gets filtered. If I > >> reload the pf configuration, then the rules start working. > >> > >> Is there a way to make pf honor such rules for the dynamic interfaces?Hi, > > > > You should do it in your application, e.g. in mpd this is something like > > below > > > > set iface up-script /usr/local/etc/mpd5/link_up.sh > > set iface down-script /usr/local/etc/mpd5/link_down.sh > > > > in openvpn - see manuals. > > That's a good suggestion. But how to add a single rule for pf? > Reloading the whole configuration is disruptive to existing connections. Use anchors. Small example: # VPN Interface Up Script # # Script is called like this: # # script interface proto local-ip remote-ip authname # $1 $2 $3 $4 $5 # anchor "ng-int/*" # less if-up.sh #!/bin/sh echo "pass quick on $1 all" | pfctl -a ng-int/$1 -f - # less if-down.sh #!/bin/sh pfctl -a ng-int/$1 -F rules _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
