Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Error/warning message from rc.d/npf

On Thu, 23 Mar 2017, Tom Ivar Helbekkmo wrote:

Paul Goyette <> writes:

See PR kern/51818 for more details - it seems that the second
"element" in $ext_if is ignored, and the ruleset is applied only to
the first "element".

I'm guessing tun0 doesn't exist at the time npf is loaded, and a
workaround would be to reload it after starting the process that creates
that interface.

Yes, the tunnel is created (by openvpn) sometime later in the startup process. And after that, ipv6addrctl established the route selection policy.

I don't know what npf does (or what I think it should do, for that
matter) when interfaces that are mentioned in the configuration file,
but do not exist at startup, later get created.  Some such interfaces
may be locked to a particular purpose every time, while others may get
created and destroyed from time to time, but for different purposes at
different times.

Perhaps there is a more appropriate sequence for startup? Should the vpn be created first?

Currently, /etc/rc.d/openvpn contains

	# PROVIDE: openvpn

and /etc/rc.d/blacklistd contains

	# PROVIDE: blacklistd
	# REQUIRE: npf

| Paul Goyette     | PGP Key fingerprint:     | E-mail addresses:      |
| (Retired)        | FA29 0E3B 35AF E8AE 6651 | paul at   |
| Kernel Developer | 0786 F758 55DE 53BA 7731 | pgoyette at |

Home | Main Index | Thread Index | Old Index