Re: OpenBSD as DSL Router using hostname.pppoe0?

Fri, 28 Dec 2007 20:08:53 -0800 

[EMAIL PROTECTED] P=P0P?P8QP0:

I guess you use ($ext_if) - with brackets - instead of the IP address
manually entered (which you obviously don't know). This way PF monitors
the interface for changes of it's IP address and adjusts rules
accordingly. You can verify if it does by doing a 'pfctl -s rules' after
a reconnection, without first reloading the ruleset.

The problem, though, is probably the states which were already created -
they keep matching the old IP. Clearing of the state table should be
sufficient, and I think this could be done with a macro in your
hostname.pppoe0, like this:
!pfctl -F state

I've personally never had to do such things, so consider everything I
say just as suggestions.

Kind regards,
Doichin


Well I added your macro right now but I'm unsure if hostname.pppoe0 is
read everytime pppoe0 gets a disconnect (and later a new IP). I think
hostname.pppoe0 is read once on boot and the rest is all in kernelspace
then (Oh a disconnect! No worries lets try to reconnect...!).

I might be wrong and I might understood the concept in a wrong way but
hostname.pppoe0 gets called once (and just once) at boot. So how could
this macro help after pppoe0 got a new IP?
Or is the hostname.pppoe0 realy read once after pppoe0 got a disconnect?!
I'm unsure of this, too, and the man pages of hostname.if and pppoe seem unclear about this. But I guess you're right - commands will be executed only on system boot or network restart. 
So far I never used such a macro because of my understanding it would have
no effect (not even at boot time because pppoe0 sometimes has 2-3 secs no
IP (the OS boots further, pf gets enabled) and then it has).
You set $ext_if to "pppoe0". Then by using ($ext_if) PF nows it has to lookup the IP address of the interface, and reflect changes to it back in the ruleset. So I guess at least at boot time it should be of help. The ! command in the hostname.pppoe0 file is irrelevant at boot - you don't have any states to flush. 

Regards,
Doichin

Reply via email to