From nobody@FreeBSD.org  Wed Apr  4 13:15:21 2007
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id ED10716A481
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  4 Apr 2007 13:15:21 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [69.147.83.33])
	by mx1.freebsd.org (Postfix) with ESMTP id DC3F013C4AE
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  4 Apr 2007 13:15:21 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id l34DFLTR085184
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 4 Apr 2007 13:15:21 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id l34DAKGV084178;
	Wed, 4 Apr 2007 13:10:20 GMT
	(envelope-from nobody)
Message-Id: <200704041310.l34DAKGV084178@www.freebsd.org>
Date: Wed, 4 Apr 2007 13:10:20 GMT
From: Bas van Beek<bas@tobin.nl>
To: freebsd-gnats-submit@FreeBSD.org
Subject: missing option "syncpeer" in pfsync startup script
X-Send-Pr-Version: www-3.0

>Number:         111225
>Category:       conf
>Synopsis:       [pfsync]: missing option "syncpeer" in pfsync startup script
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    keramida
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Apr 04 13:20:07 GMT 2007
>Closed-Date:    Mon May 28 02:03:08 GMT 2007
>Last-Modified:  Mon May 28 02:03:08 GMT 2007
>Originator:     Bas van Beek
>Release:        6.1 RELEASE
>Organization:
>Environment:
FreeBSD fw1.tobin.nl 6.1-RELEASE FreeBSD 6.1-RELEASE #2: Tue Apr  3 15:12:20 UTC 2007     bas@fw1.tobin.nl:/usr/obj/usr/src/sys/FW  i386
>Description:

pfsync can take the argument syncpeer so it will use a single peer ip address instead of a multicast address to inform the other pf firewall of state changes.

The /etc/rc.d/pfsync startup script does not facilitate this option.


>How-To-Repeat:

>Fix:
A minor update of the pfsync script would allow for this option to be included in the rc.conf script:

if  [ -z  "$pfsync_syncpeer" ] ; then
    ifconfig pfsync0 syncdev $pfsync_syncdev $pfsync_ifconfig up
else
    ifconfig pfsync0 syncpeer $pfsync_syncpeer syncdev $pfsync_syncdev $pfsync_ifconfig up
fi

this would allow for the following configuration in rc.conf

pfsync_enable="YES"
pfsync_syncdev="em3"
pfsync_syncpeer="10.0.0.1"

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-pf 
Responsible-Changed-By: remko 
Responsible-Changed-When: Wed Apr 4 13:36:31 UTC 2007 
Responsible-Changed-Why:  
Reassign to the PF team. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=111225 

From: Giorgos Keramidas <keramida@freebsd.org>
To: Bas van Beek <bas@tobin.nl>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: conf/111225: missing option "syncpeer" in pfsync startup script
Date: Fri, 6 Apr 2007 04:47:17 +0300

 On 2007-04-04 13:10, Bas van Beek <bas@tobin.nl> wrote:
 > A minor update of the pfsync script would allow for this option to be
 > included in the rc.conf script:
 > 
 > if  [ -z  "$pfsync_syncpeer" ] ; then
 >     ifconfig pfsync0 syncdev $pfsync_syncdev $pfsync_ifconfig up
 > else
 >     ifconfig pfsync0 syncpeer $pfsync_syncpeer syncdev $pfsync_syncdev $pfsync_ifconfig up
 > fi
 
 Sounds like a good idea.  Does the following patch look like something
 we can use to make pfsync_syncpeer="address" work, and document it as an
 rc.conf option?
 
 [ http://people.freebsd.org/~keramida/diff/conf-111225.patch ]
 
 %%%
 diff -r 7fd2429572a3 etc/rc.d/pfsync
 --- a/etc/rc.d/pfsync	Fri Apr 06 01:25:19 2007 +0300
 +++ b/etc/rc.d/pfsync	Fri Apr 06 04:42:46 2007 +0300
 @@ -37,7 +37,11 @@ pfsync_start()
  pfsync_start()
  {
  	echo "Enabling pfsync."
 -	ifconfig pfsync0 syncdev $pfsync_syncdev $pfsync_ifconfig up
 +	if [ -n "${pfsync_syncpeer}" ]; then
 +		_syncpeer="syncpeer ${pfsync_syncpeer}"
 +	fi
 +	ifconfig pfsync0 $_syncpeer syncdev $pfsync_syncdev $pfsync_ifconfig up
 +	unset _syncpeer
  }
  
  pfsync_stop()
 diff -r 7fd2429572a3 share/man/man5/rc.conf.5
 --- a/share/man/man5/rc.conf.5	Fri Apr 06 01:25:19 2007 +0300
 +++ b/share/man/man5/rc.conf.5	Fri Apr 06 04:42:46 2007 +0300
 @@ -855,6 +855,26 @@ It must be set accordingly if
  .Va pfsync_enable
  is set to
  .Dq Li YES .
 +.It Va pfsync_syncpeer
 +.Pq Vt str
 +Empty by default.
 +This variable is optional.
 +By default, state change messages are sent out on the synchronisation
 +interface using IP multicast packets.
 +The protocol is IP protocol 240, PFSYNC, and the multicast group used is
 +224.0.0.240.
 +When a peer address is specified using the
 +.Va pfsync_syncpeer
 +option, the peer address is used as a destination for the pfsync
 +traffic, and the traffic can then be protected using
 +.Xr ipsec 4 .
 +See the
 +.Xr pfsync 4
 +manpage for more details about using
 +.Xr ipsec 4
 +with
 +.Xr pfsync 4
 +interfaces.
  .It Va pfsync_ifconfig
  .Pq Vt str
  Empty by default.
 %%%

From: Giorgos Keramidas <keramida@freebsd.org>
To: Bas van Beek <bas@tobin.nl>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: conf/111225: missing option "syncpeer" in pfsync startup script
Date: Sat, 7 Apr 2007 00:24:55 +0300

 > From: Giorgos Keramidas <keramida@freebsd.org>
 > To: Bas van Beek <bas@tobin.nl>
 > Cc: freebsd-gnats-submit@freebsd.org
 > Subject: conf/111225: Re: conf/111225: missing option "syncpeer" in pfsync startup script
 > Date: Fri, 6 Apr 2007 04:47:17 +0300
 > 
 > Sounds like a good idea.  Does the following patch look like something
 > we can use to make pfsync_syncpeer="address" work, and document it as an
 > rc.conf option?
 >  
 > [ http://people.freebsd.org/~keramida/diff/conf-111225.patch ]
 
 The original version of the patch used 'unset' to keep $_syncpeer local,
 but Simon has pointed me at using "local _syncpeer" since then.  I've
 updated the patch online with:
 
 %%%
 diff -r 7fd2429572a3 etc/rc.d/pfsync
 --- a/etc/rc.d/pfsync	Fri Apr 06 01:25:19 2007 +0300
 +++ b/etc/rc.d/pfsync	Sat Apr 07 00:22:07 2007 +0300
 @@ -36,8 +36,13 @@ pfsync_prestart()
  
  pfsync_start()
  {
 +	local _syncpeer
 +
  	echo "Enabling pfsync."
 -	ifconfig pfsync0 syncdev $pfsync_syncdev $pfsync_ifconfig up
 +	if [ -n "${pfsync_syncpeer}" ]; then
 +		_syncpeer="syncpeer ${pfsync_syncpeer}"
 +	fi
 +	ifconfig pfsync0 $_syncpeer syncdev $pfsync_syncdev $pfsync_ifconfig up
  }
  
  pfsync_stop()
 diff -r 7fd2429572a3 share/man/man5/rc.conf.5
 --- a/share/man/man5/rc.conf.5	Fri Apr 06 01:25:19 2007 +0300
 +++ b/share/man/man5/rc.conf.5	Sat Apr 07 00:22:07 2007 +0300
 @@ -855,6 +855,26 @@ It must be set accordingly if
  .Va pfsync_enable
  is set to
  .Dq Li YES .
 +.It Va pfsync_syncpeer
 +.Pq Vt str
 +Empty by default.
 +This variable is optional.
 +By default, state change messages are sent out on the synchronisation
 +interface using IP multicast packets.
 +The protocol is IP protocol 240, PFSYNC, and the multicast group used is
 +224.0.0.240.
 +When a peer address is specified using the
 +.Va pfsync_syncpeer
 +option, the peer address is used as a destination for the pfsync
 +traffic, and the traffic can then be protected using
 +.Xr ipsec 4 .
 +See the
 +.Xr pfsync 4
 +manpage for more details about using
 +.Xr ipsec 4
 +with
 +.Xr pfsync 4
 +interfaces.
  .It Va pfsync_ifconfig
  .Pq Vt str
  Empty by default.
 %%%
State-Changed-From-To: open->patched 
State-Changed-By: keramida 
State-Changed-When: Tue Apr 10 16:42:26 UTC 2007 
State-Changed-Why:  
A slightly improved patch (with a suggestion from simon@ for 
using a "local" function variable), has been committed to the 
HEAD of the CVS tree.  Thank you for noticing this in the first 
place and filing a PR with us. 


Responsible-Changed-From-To: freebsd-pf->keramida 
Responsible-Changed-By: keramida 
Responsible-Changed-When: Tue Apr 10 16:42:26 UTC 2007 
Responsible-Changed-Why:  
I'll take care of MFC'ing this. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=111225 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: conf/111225: commit references a PR
Date: Tue, 10 Apr 2007 16:42:19 +0000 (UTC)

 keramida    2007-04-10 16:42:14 UTC
 
   FreeBSD src repository (doc committer)
 
   Modified files:
     etc/defaults         rc.conf 
     etc/rc.d             pfsync 
     share/man/man5       rc.conf.5 
   Log:
   Add a pfsync_syncpeer option to /etc/defaults/rc.conf and rc.conf(5),
   which can be used to turn off multicast pfsync support, and enable
   the transmission of directed PFSYNC (IP protocol: 240) packets to
   a specific "sync peer" host.
   
   PR:             conf/111225
   Submitted by:   Bas van Beek <bas@tobin.nl>
   Approved by:    mtm, mlaier
   MFC after:      2 weeks
   
   Revision  Changes    Path
   1.314     +1 -0      src/etc/defaults/rc.conf
   1.5       +6 -1      src/etc/rc.d/pfsync
   1.323     +20 -0     src/share/man/man5/rc.conf.5
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: keramida 
State-Changed-When: Mon May 28 02:02:13 UTC 2007 
State-Changed-Why:  
Merged to RELENG_6.  Thanks for the bug report :) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=111225 
>Unformatted:
