Re: npf and ephemeral interfaces (tun0)

[David Brownlee <abs%netbsd.org@localhost>]

On 17 February 2016 at 19:35, Christos Zoulas <christos%astron.com@localhost> wrote:
> In article <CAGN_6pZoxP0EmG7PME9=pQAMrkHbDkmdfoB9VQZpCR-wNLmdww%mail.gmail.com@localhost>,
> David Brownlee  <abs%absd.org@localhost> wrote:
>>I have a server which needs to run an npf map rule on its OpenVPN
>>interface (tun0).
>>
>>I can create the rule fine, but when the system restarts tnpf rejects
>>the rulset because there is no tun0 interface. Am I missing something?
>>Is there a way around this?
>>
>>I have a couple of other systems still using pf to avoid this kind of issue :/
>>
>>Relevant rule lines:
>>
>>$vpn_if = inet4(tun0)
>>map $vpn_if dynamic $foohost      port 22 <- $foohost port 24
>
> Although you can refer to non-existing interfaces and they will work inspite
> of the warnings, I have:
>
>         pass final on ppp0 all
>         pass final on ppp1 all
>         pass final on ppp2 all
>
> inside my rules without having any ppp interfaces at filter load
> time, unfortunately refering to addresses on a non-existing interface
> does not work. Having the ability to insert and remove map statements
> like this dynamically is a missing feature that also makes UPNP
> difficult to implement.

Thanks - setting  "$vpn_if = tun0" looks like it should work for this
specific case, which is a relief. I think I have another
currently-pf-using box which may need the ip on the ephemeral
interface, but at least one other box will also be happy with this, so
thats at least 2/3 wins right away :)

Thanks again!