current-users: Re: pf + current-GENERIC

Subject: Re: pf + current-GENERIC
To: matthew sporleder <msporleder@gmail.com>
From: George Georgalis <george@galis.org>
List: current-users
Date: 02/13/2006 19:32:16
On Mon, Feb 13, 2006 at 06:21:04PM -0500, matthew sporleder wrote:
>I am running -current with GENERIC, and trying to use pf.
>GENERIC doesn't seem to come with pf compiled in, so I load the module.
>
>In rc.conf, if I have:
>lkm=YES
>pf=YES
>
>It doesn't load the module before pf.
>
>If I use:
>lkm=YES
>pf_boot=YES
>
>It loads the module, but doesn't pick up my rules in /etc/pf.conf.
>
>I tried:
>lkm=YES
>pf_boot=YES
>pf=YES
>pf_rules=/etc/pf.conf
>
>But it still didn't work.  Looking at /etc/rc.d/pf seems to imply that
>it should work just as well as /etc/rc.d/pf_boot, but that's obivously
>not happening.
>
>Any hints?
>

My opinion, and I've looked carefully (but am no pf
or netbsd rc.d expert), is that the stock netbsd
rc.d defaults are way broken, to complicated with no
benefit. And, they don't seem to work as documented.

If you make install in /usr/pkgsrc/security/pflkm
I think it informs you the proper way to load the
kernel module at boot, there is another config file
to populate -- but I don't recall exactly.

dang... $ make patch
===> pflkm-20050511 is not available for NetBSD-3.0-i386

I was going to look for it in source. but lkm.conf(5) seems
to tell you what you need...

     The lkm.conf file specifies loadable kernel modules, see
     lkm(4), that are to be loaded a boot time.  The lkm.conf
     file is processed by /etc/rc.lkm at system boot time, if it
     exists.

     Each line of the file is of the form
           path options entry postinstall output when


The patch below just disables the /etc/rc.d/pf_boot
script and the other file is a replacement that does
what you expect.

http://galis.org/mkinst/patch/pf_boot.patch
http://galis.org/mkinst/patch/pf

That's assuming that you expect /etc/pf.conf to hold
your boot time pf configuration and have pf=yes
in rc.conf to load it. If you have pf=yes but no
pf.conf it loads /etc/defaults/pf.boot.conf; also
you can define pf_flags and pf_rules for pfctl opts
and an alternate location for the the conf file.

It doesn't address loading the module or enabling it
in the kernel config, which should probably be part
of whatever procedure puts pf=yes in rc.conf ;-)

I'd planned offer above for base, but I've not
tested it much or worked out exactly what to suggest
to change on base.

// George


-- 
George Georgalis, systems architect, administrator <IXOYE><
http://galis.org/ cell:646-331-2027 mailto:george@galis.org