On 2/13/06, George Georgalis <george@galis.org> wrote:
> On Mon, Feb 13, 2006 at 06:21:04PM -0500, matthew sporleder wrote:
> >I am running -current with GENERIC, and trying to use pf.
> >GENERIC doesn't seem to come with pf compiled in, so I load the module.
> >
> >In rc.conf, if I have:
> >lkm=3DYES
> >pf=3DYES
> >
> >It doesn't load the module before pf.
> >
> >If I use:
> >lkm=3DYES
> >pf_boot=3DYES
> >
> >It loads the module, but doesn't pick up my rules in /etc/pf.conf.
> >
> >I tried:
> >lkm=3DYES
> >pf_boot=3DYES
> >pf=3DYES
> >pf_rules=3D/etc/pf.conf
> >
> >But it still didn't work.  Looking at /etc/rc.d/pf seems to imply that
> >it should work just as well as /etc/rc.d/pf_boot, but that's obivously
> >not happening.
> >
> >Any hints?
> >
>
> My opinion, and I've looked carefully (but am no pf
> or netbsd rc.d expert), is that the stock netbsd
> rc.d defaults are way broken, to complicated with no
> benefit. And, they don't seem to work as documented.
>
> If you make install in /usr/pkgsrc/security/pflkm
> I think it informs you the proper way to load the
> kernel module at boot, there is another config file
> to populate -- but I don't recall exactly.
>
> dang... $ make patch
> =3D=3D=3D> pflkm-20050511 is not available for NetBSD-3.0-i386
>
> I was going to look for it in source. but lkm.conf(5) seems
> to tell you what you need...
>
>      The lkm.conf file specifies loadable kernel modules, see
>      lkm(4), that are to be loaded a boot time.  The lkm.conf
>      file is processed by /etc/rc.lkm at system boot time, if it
>      exists.
>
>      Each line of the file is of the form
>            path options entry postinstall output when
>
>
> The patch below just disables the /etc/rc.d/pf_boot
> script and the other file is a replacement that does
> what you expect.
>
> http://galis.org/mkinst/patch/pf_boot.patch
> http://galis.org/mkinst/patch/pf
>
> That's assuming that you expect /etc/pf.conf to hold
> your boot time pf configuration and have pf=3Dyes
> in rc.conf to load it. If you have pf=3Dyes but no
> pf.conf it loads /etc/defaults/pf.boot.conf; also
> you can define pf_flags and pf_rules for pfctl opts
> and an alternate location for the the conf file.
>
> It doesn't address loading the module or enabling it
> in the kernel config, which should probably be part
> of whatever procedure puts pf=3Dyes in rc.conf ;-)
>
> I'd planned offer above for base, but I've not
> tested it much or worked out exactly what to suggest
> to change on base.
>

I think a better solution might be to try tracking down why rcorder
and /etc/rc.d/lkm1 isn't providing beforenetlkm as specified by
/etc/rc.d/pf instead of replacing the files with these, less featured
scripts.