Subject: Re: pf + current-GENERIC
To: George Georgalis <email@example.com>
From: matthew sporleder <firstname.lastname@example.org>
Date: 02/13/2006 21:44:02
On 2/13/06, George Georgalis <email@example.com> wrote:
> On Mon, Feb 13, 2006 at 06:21:04PM -0500, matthew sporleder wrote:
> >I am running -current with GENERIC, and trying to use pf.
> >GENERIC doesn't seem to come with pf compiled in, so I load the module.
> >In rc.conf, if I have:
> >It doesn't load the module before pf.
> >If I use:
> >It loads the module, but doesn't pick up my rules in /etc/pf.conf.
> >I tried:
> >But it still didn't work. Looking at /etc/rc.d/pf seems to imply that
> >it should work just as well as /etc/rc.d/pf_boot, but that's obivously
> >not happening.
> >Any hints?
> My opinion, and I've looked carefully (but am no pf
> or netbsd rc.d expert), is that the stock netbsd
> rc.d defaults are way broken, to complicated with no
> benefit. And, they don't seem to work as documented.
> If you make install in /usr/pkgsrc/security/pflkm
> I think it informs you the proper way to load the
> kernel module at boot, there is another config file
> to populate -- but I don't recall exactly.
> dang... $ make patch
> =3D=3D=3D> pflkm-20050511 is not available for NetBSD-3.0-i386
> I was going to look for it in source. but lkm.conf(5) seems
> to tell you what you need...
> The lkm.conf file specifies loadable kernel modules, see
> lkm(4), that are to be loaded a boot time. The lkm.conf
> file is processed by /etc/rc.lkm at system boot time, if it
> Each line of the file is of the form
> path options entry postinstall output when
> The patch below just disables the /etc/rc.d/pf_boot
> script and the other file is a replacement that does
> what you expect.
> That's assuming that you expect /etc/pf.conf to hold
> your boot time pf configuration and have pf=3Dyes
> in rc.conf to load it. If you have pf=3Dyes but no
> pf.conf it loads /etc/defaults/pf.boot.conf; also
> you can define pf_flags and pf_rules for pfctl opts
> and an alternate location for the the conf file.
> It doesn't address loading the module or enabling it
> in the kernel config, which should probably be part
> of whatever procedure puts pf=3Dyes in rc.conf ;-)
> I'd planned offer above for base, but I've not
> tested it much or worked out exactly what to suggest
> to change on base.
I think a better solution might be to try tracking down why rcorder
and /etc/rc.d/lkm1 isn't providing beforenetlkm as specified by
/etc/rc.d/pf instead of replacing the files with these, less featured