Bug 128005

Summary: /etc/rc.d/pf should REQUIRE ppp
Product: Base System Reporter: josh.carroll
Component: confAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 7.1-PRERELEASE   
Hardware: Any   
OS: Any   

Description josh.carroll 2008-10-10 17:40:01 UTC 
I have not personally experienced this problem, but I am submitting on behalf of the person who experienced the problem.

This user is using diald/ppp to establish a PPPoE connection, which is brought up on tun0.

/etc/rc.d/pf happens before /etc/rc.d/ppp according to rcorder, so tun0 does not yet have an IP address and pf fails to load the ruleset.

This is already done for ipfw, so I guess it makes sense to do it also for pf:

% rcorder /etc/rc.d/* | grep -E '(netif|ppp|pf)'
/etc/rc.d/ipfilter
/etc/rc.d/ipfs
/etc/rc.d/sppp
/etc/rc.d/netif
/etc/rc.d/pfsync
/etc/rc.d/pflog
/etc/rc.d/pf
/etc/rc.d/ppp
/etc/rc.d/ipfw
/etc/rc.d/pppoed
/etc/rc.d/rfcomm_pppd_server

Putting ppp as a REQUIRE for pf fixed this person's particular problem. I'm just not aware if there was a reason for not having this in place, historically speaking.

Thanks!
Josh

Fix: 

# PROVIDE: pf
-# REQUIRE: FILESYSTEMS netif pflog pfsync
+# REQUIRE: FILESYSTEMS netif pflog pfsync ppp
 # BEFORE:  routing
 # KEYWORD: nojail--C4odIUyj6ohbTbZFfzjckM86tcftrQUf1gxd0ToGKFuhgZZI
Content-Type: text/plain; name="file.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="file.diff"

--- pf.old      2008-10-10 12:37:47.000000000 -0400
+++ pf  2008-10-10 12:37:52.000000000 -0400
@@ -4,7 +4,7 @@
 #
How-To-Repeat: Setup ppp/diald for tun0 and have a pf.conf referencing the tun0 interface.
Comment 1 Remko Lodder freebsd_committer freebsd_triage 2008-10-10 20:35:37 UTC 
State Changed
From-To: open->closed

This had been discussed before and will not be incorporated. You can do 
that manually if needed and you can use cloned_interfaces to setup tun0 
in advance. Reason for this being loaded as soon as possible, is that 
the network stack is protected, if you do it differently there is a 
window of opportunity to break in. So you can do that locally if needed, 
but it will not get incorporated into the tree. This is a summary of 
what had been discussed before. Thanks for taking the time to submit 
this and for using FreeBSD!