On 2025-01-31, Sebastien Marie <sema...@kapouay.eu.org> wrote:
> Raimo Niskanen <raimo+open...@erix.ericsson.se> writes:
>
>> Hello misc@
>>
>> My ISP is often enough a bit slow to answer DHCP queries,
>> so when /etc/rc runs, after netstart, PF is configured,
>> and I have used the egress group in /etc/pf.conf, my ISP has
>> not given me a lease, so no interface belongs to that group.
>>
>> pfctl refuses to load the ruleset and my router machine doesn't work.
as ever, when there's a problem where an error message is printed,
showing that message is will make it easier to see what's occurring.
>> I have added a delay in /etc/rc, but that feels not kosher.
>>
>> I think what I miss is an argument to dhceleased, or a configuration
>> parameter in dhcpleased.conf to set a longer initial lease timeout,
>> before going into backgrand and returning control to netstart.
>>
>> Is this a common enough problem, or should I come back with a diff?
>>
>> Cheers
>
> having pfctl refusing to load the ruleset if you don't have your
> interface in 'egress' isn't expected.
Depends whether you use it as an interface group ("on egress") or are
trying to reference the address of that interface ("from egress",
"nat-to egress").
For the latter you need brackets ("from (egress)") to defer lookup until
the ruleset is evaluated (i.e. when a packet doesn't match an existing
state so it has to check against the firewall rules) otherwise that
lookup is done once when pfctl runs.
--
Please keep replies on the mailing list.
