From nobody@FreeBSD.org  Wed Apr 26 03:58:01 2006
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0D2FC16A400
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 26 Apr 2006 03:58:01 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9999D43D45
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 26 Apr 2006 03:58:00 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k3Q3w0wO093770
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 26 Apr 2006 03:58:00 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k3Q3w07J093769;
	Wed, 26 Apr 2006 03:58:00 GMT
	(envelope-from nobody)
Message-Id: <200604260358.k3Q3w07J093769@www.freebsd.org>
Date: Wed, 26 Apr 2006 03:58:00 GMT
From: Mike Oliver <michael@gargantuan.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: patch - rc.d order change to start inet6 before pf
X-Send-Pr-Version: www-2.3

>Number:         96343
>Category:       conf
>Synopsis:       [patch] rc.d order change to start inet6 before pf
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-rc
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Apr 26 04:00:29 GMT 2006
>Closed-Date:    Thu Nov 01 18:11:36 UTC 2012
>Last-Modified:  Thu Nov 01 18:11:36 UTC 2012
>Originator:     Mike Oliver
>Release:        CURRENT
>Organization:
>Environment:
FreeBSD gambit.gargantuan.com 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Wed Mar 15 12:56:49 EST 2006     mwoliver@gambit.gargantuan.com:/usr/obj/usr/src/sys/GAMBIT  i386
>Description:
For inet6, it looks like the link-local address isn't enough to satisfy pf so that it will load the rules, because I saw the same "rule expands to no valid combination" error when testing this config before having a non-link-local addr assigned to re0.  It looks like pf is being started after the inet config, but before the inet6 config, and since there are no non-link-local addrs assigned yet, pf is failing to load the pf.conf rules.

The attached patch to change the ordering of /etc/rc.d fixes the problem completely in my case, though I don't have a facility to test any regression to isdn or ppp.
>How-To-Repeat:
put these rules in /etc/pf.conf and reboot with current rc.d ordering -- the rules will NOT be loaded.


antispoof quick for $int_if inet
antispoof quick for $int_if inet6
antispoof quick for $ext_if inet
antispoof quick for $ext_if inet6
>Fix:
diff -ruN /etc/rc.d.orig/NETWORKING /etc/rc.d/NETWORKING
--- /etc/rc.d.orig/NETWORKING   Tue Jan 10 12:51:47 2006
+++ /etc/rc.d/NETWORKING        Mon Apr 24 13:44:25 2006
@@ -5,7 +5,7 @@
 #

 # PROVIDE: NETWORKING NETWORK
-# REQUIRE: netif routing network_ipv6 isdnd ppp
+# REQUIRE: netif network_ipv6 routing isdnd ppp
 # REQUIRE: routed mrouted route6d mroute6d

 #      This is a dummy dependency, for services which require networking
diff -ruN /etc/rc.d.orig/atm2 /etc/rc.d/atm2
--- /etc/rc.d.orig/atm2 Tue Jan 10 12:51:47 2006
+++ /etc/rc.d/atm2      Mon Apr 24 14:17:05 2006
@@ -28,7 +28,7 @@
 #

 # PROVIDE: atm2
-# REQUIRE: atm1 netif
+# REQUIRE: atm1 netif ip6addrctl
 # BEFORE:  routing
 # KEYWORD: nojail

diff -ruN /etc/rc.d.orig/ip6fw /etc/rc.d/ip6fw
--- /etc/rc.d.orig/ip6fw        Tue Jan 10 12:51:48 2006
+++ /etc/rc.d/ip6fw     Mon Apr 24 14:14:09 2006
@@ -4,8 +4,8 @@
 #

 # PROVIDE: ip6fw
-# REQUIRE: routing
-# BEFORE: network_ipv6
+# REQUIRE: network_ipv6 routing
+# BEFORE: NETWORKING
 # KEYWORD: nojail

 . /etc/rc.subr
diff -ruN /etc/rc.d.orig/mroute6d /etc/rc.d/mroute6d
--- /etc/rc.d.orig/mroute6d     Tue Jan 10 12:51:48 2006
+++ /etc/rc.d/mroute6d  Mon Apr 24 14:05:19 2006
@@ -4,7 +4,7 @@
 #

 # PROVIDE: mroute6d
-# REQUIRE: network_ipv6
+# REQUIRE: network_ipv6 routing
 # KEYWORD: nojail

 . /etc/rc.subr
diff -ruN /etc/rc.d.orig/network_ipv6 /etc/rc.d/network_ipv6
--- /etc/rc.d.orig/network_ipv6 Tue Jan 10 12:51:48 2006
+++ /etc/rc.d/network_ipv6      Mon Apr 24 13:41:07 2006
@@ -29,7 +29,7 @@
 #

 # PROVIDE: network_ipv6
-# REQUIRE: routing
+# REQUIRE: mountcritlocal
 # KEYWORD: nojail

 . /etc/rc.subr
diff -ruN /etc/rc.d.orig/pf /etc/rc.d/pf
--- /etc/rc.d.orig/pf   Mon Apr 24 10:36:10 2006
+++ /etc/rc.d/pf        Mon Apr 24 14:12:38 2006
@@ -4,7 +4,7 @@
 #

 # PROVIDE: pf
-# REQUIRE: root mountcritlocal netif pflog pfsync
+# REQUIRE: root mountcritlocal netif network_ipv6 pflog pfsync
 # BEFORE:  routing
 # KEYWORD: nojail

diff -ruN /etc/rc.d.orig/pflog /etc/rc.d/pflog
--- /etc/rc.d.orig/pflog        Mon Apr 24 10:36:15 2006
+++ /etc/rc.d/pflog     Mon Apr 24 14:12:28 2006
@@ -4,7 +4,7 @@
 #

 # PROVIDE: pflog
-# REQUIRE: root mountcritlocal netif cleanvar
+# REQUIRE: root mountcritlocal netif network_ipv6 cleanvar
 # KEYWORD: nojail

 . /etc/rc.subr
diff -ruN /etc/rc.d.orig/pfsync /etc/rc.d/pfsync
--- /etc/rc.d.orig/pfsync       Mon Apr 24 10:36:23 2006
+++ /etc/rc.d/pfsync    Mon Apr 24 14:20:25 2006
@@ -4,7 +4,7 @@
 #

 # PROVIDE: pfsync
-# REQUIRE: root mountcritlocal netif
+# REQUIRE: root mountcritlocal netif network_ipv6
 # KEYWORD: nojail

 . /etc/rc.subr
diff -ruN /etc/rc.d.orig/route6d /etc/rc.d/route6d
--- /etc/rc.d.orig/route6d      Tue Jan 10 12:51:49 2006
+++ /etc/rc.d/route6d   Mon Apr 24 14:05:09 2006
@@ -5,7 +5,7 @@
 #

 # PROVIDE: route6d
-# REQUIRE: network_ipv6
+# REQUIRE: network_ipv6 routing
 # KEYWORD: nojail

 . /etc/rc.subr
diff -ruN /etc/rc.d.orig/routing /etc/rc.d/routing
--- /etc/rc.d.orig/routing      Tue Jan 10 12:51:49 2006
+++ /etc/rc.d/routing   Mon Apr 24 13:41:59 2006
@@ -6,7 +6,7 @@
 #

 # PROVIDE: routing
-# REQUIRE: netif ppp
+# REQUIRE: netif network_ipv6 ppp
 # KEYWORD: nojail

 . /etc/rc.subr
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-rc 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Thu Jun 29 00:24:57 UTC 2006 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=96343 

From: Bruce Cran <bruce@cran.org.uk>
To: bug-followup@FreeBSD.org, michael@gargantuan.com
Cc:  
Subject: Re: conf/96343: [patch] rc.d order change to start inet6 before pf
Date: Wed, 31 Dec 2008 05:19:04 +0000

 [http://www.freebsd.org/cgi/query-pr.cgi?pr=conf/96343]
 
 Ideally the firewall should be started before any interfaces become
 active to avoid the possibility for an attacker to get in between the
 interface being active and the firewall being turned on; on 8-CURRENT
 the startup procedure has been changed so that this is the case.  It
 should be possible to make pf work by for example changing
 
 pass ... on re0 from any to re0 ...
 
 to
 
 pass ... on re0 from any to (re0) ...
 
 With the second line, pf now doesn't require re0 to have an IP address
 in order to load the firewall rules.
 
 -- 
 Bruce Cran
State-Changed-From-To: open->closed 
State-Changed-By: crees 
State-Changed-When: Thu Nov 1 18:11:35 UTC 2012 
State-Changed-Why:  
Solution provided and assumed accepted. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=96343 
>Unformatted:
