From nobody@FreeBSD.org  Mon Jan 21 21:16:10 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id F0F1516A41B
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 21 Jan 2008 21:16:10 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id EB1D513C45A
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 21 Jan 2008 21:16:10 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m0LLEegR076143
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 21 Jan 2008 21:14:40 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id m0LLEe5E076142;
	Mon, 21 Jan 2008 21:14:40 GMT
	(envelope-from nobody)
Message-Id: <200801212114.m0LLEe5E076142@www.freebsd.org>
Date: Mon, 21 Jan 2008 21:14:40 GMT
From: Niki Denev <nike_d@cytexbg.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: "/etc/rc.d/pf reload" fails if there are macros defined in pf_flags rc variable
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         119874
>Category:       conf
>Synopsis:       [patch] "/etc/rc.d/pf reload" fails if there are macros defined in pf_flags rc variable
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-rc
>State:          analyzed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jan 21 21:20:01 UTC 2008
>Closed-Date:    
>Last-Modified:  Wed Oct 31 19:25:23 UTC 2012
>Originator:     Niki Denev
>Release:        FreeBSD 7.0-PRERELEASE
>Organization:
>Environment:
FreeBSD rtr1 7.0-PRERELEASE FreeBSD 7.0-PRERELEASE #1: Mon Jan 21 17:24:53 UTC 2008     root@rtr3:/usr/obj/usr/src/sys/RTR  amd64

>Description:
I'm using the pf_flags rc var to set macros for pf.conf 
files i use in redundant router configuration.
This way i can have exactly the same pf.conf on all 
of the routers, and still set host specific
options as "hostid" used by pfsync via rc.conf
The problem is that when i use "/etc/rc.d/pf reload" to reload the rules,
the rc.d/pf script first executes pfctl with -n option to check the
pf.conf syntax, but fails to include
the $pf_flags var, and fails because of undefined macros.
>How-To-Repeat:
use macros in pf.conf defined in rc.conf as pf_flags="-D macro=value"
and then do
# /etc/rc.d/pf reload

and it will fail because when the rules are checked on reloading the
$pf_flags variable is not included in the command.
>Fix:
Small patch to /etc/rc.d/pf which adds $pf_flags variable when executing
pfctl with "-n" flag to check ruleset syntax.


Patch attached with submission follows:

--- /etc/rc.d/pf.orig	2008-01-21 11:18:27.000000000 +0200
+++ /etc/rc.d/pf	2008-01-21 11:29:56.000000000 +0200
@@ -50,7 +50,7 @@
 pf_reload()
 {
 	echo "Reloading pf rules."
-	$pf_program -n -f "$pf_rules" || return 1
+	$pf_program -n -f "$pf_rules" $pf_flags || return 1
 	# Flush everything but existing state entries that way when
 	# rules are read in, it doesn't break established connections.
 	$pf_program -Fnat -Fqueue -Frules -FSources -Finfo -FTables -Fosfp > /dev/null 2>&1


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-rc 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Tue Jan 22 05:13:37 UTC 2008 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=119874 
State-Changed-From-To: open->analyzed 
State-Changed-By: crees 
State-Changed-When: Wed Oct 31 19:25:11 UTC 2012 
State-Changed-Why:  
I think we could kill two birds with one stone here, and minimise the 
code duplication; use the pf_check function in pf_reload, and add your 
patch to pf_check http://www.bayofrum.net/~crees/patches/119874.diff 

http://www.freebsd.org/cgi/query-pr.cgi?pr=119874 
>Unformatted:
