Re: Error/warning message from rc.d/npf

[Paul Goyette <paul%whooppee.com@localhost>]

On Thu, 23 Mar 2017, Tom Ivar Helbekkmo wrote:

> Paul Goyette <paul%whooppee.com@localhost> writes:
>
> > See PR kern/51818 for more details - it seems that the second
> > "element" in $ext_if is ignored, and the ruleset is applied only to
> > the first "element".
>
> I'm guessing tun0 doesn't exist at the time npf is loaded, and a
> workaround would be to reload it after starting the process that creates
> that interface.

Yes, the tunnel is created (by openvpn) sometime later in the startup 
process.  And after that, ipv6addrctl established the route selection 
policy.


> I don't know what npf does (or what I think it should do, for that
> matter) when interfaces that are mentioned in the configuration file,
> but do not exist at startup, later get created.  Some such interfaces
> may be locked to a particular purpose every time, while others may get
> created and destroyed from time to time, but for different purposes at
> different times.

Perhaps there is a more appropriate sequence for startup?  Should the 
vpn be created first?

Currently, /etc/rc.d/openvpn contains

	# PROVIDE: openvpn
	# REQUIRE: NETWORKING

and /etc/rc.d/blacklistd contains

	# PROVIDE: blacklistd
	# REQUIRE: npf
	# BEFORE:  SERVERS



+------------------+--------------------------+------------------------+
| Paul Goyette     | PGP Key fingerprint:     | E-mail addresses:      |
| (Retired)        | FA29 0E3B 35AF E8AE 6651 | paul at whooppee.com   |
| Kernel Developer | 0786 F758 55DE 53BA 7731 | pgoyette at netbsd.org |
+------------------+--------------------------+------------------------+