diff options
| author | Marco Pfatschbacher <mpf@cvs.openbsd.org> | 2008-01-09 21:38:20 +0000 |
|---|---|---|
| committer | Marco Pfatschbacher <mpf@cvs.openbsd.org> | 2008-01-09 21:38:20 +0000 |
| commit | 597c7e339fd131c5dbb14259b1430ec93c1a8934 (patch) | |
| tree | ceb5b614a298f8e6d2c7174b8e8b9942e5989bb1 | |
| parent | 701fbb8f0bcfbeb3b8e495f8aae3abd97b7c35af (diff) | |
Do not bring up pfsync(4) before the working ruleset
has been loaded. Otherwise, states that are received during the
initial bulk update mismatch the correct pf-checksum and
do not attach to the rules.
Problem identified by david@. Fix done in collaboration.
OK henning@
| -rw-r--r-- | etc/netstart | 8 | ||||
| -rw-r--r-- | etc/rc | 8 |
2 files changed, 9 insertions, 7 deletions
diff --git a/etc/netstart b/etc/netstart index 07dd92da7fa..4b32332e84a 100644 --- a/etc/netstart +++ b/etc/netstart @@ -1,6 +1,6 @@ #!/bin/sh - # -# $OpenBSD: netstart,v 1.116 2007/08/02 03:19:10 david Exp $ +# $OpenBSD: netstart,v 1.117 2008/01/09 21:38:19 mpf Exp $ # Strip comments (and leading/trailing whitespace if IFS is set) # from a file and spew to stdout @@ -304,10 +304,8 @@ fi # The trunk interfaces need to come up first in this list. # The vlan interfaces need to come up after trunk. -# The pfsync interfaces need to come up before carp. -# Configure all the carp interfaces which we know about. -# They must come up after pfsync but before default route. -ifmstart "trunk vlan pfsync carp" +# Configure all the carp interfaces which we know about before default route. +ifmstart "trunk vlan carp" # /etc/mygate, if it exists, contains the name of my gateway host # that name must be in /etc/hosts. @@ -1,4 +1,4 @@ -# $OpenBSD: rc,v 1.308 2007/12/07 17:13:35 deraadt Exp $ +# $OpenBSD: rc,v 1.309 2008/01/09 21:38:19 mpf Exp $ # System startup script run by init on autoboot # or after single-user. @@ -221,7 +221,7 @@ if [ X"${pf}" != X"NO" ]; then RULES="$RULES\npass out inet6 proto icmp6 all icmp6-type routersol" RULES="$RULES\npass in inet6 proto icmp6 all icmp6-type routeradv" fi - RULES="$RULES\npass proto { pfsync, carp }" + RULES="$RULES\npass proto carp" case `sysctl vfs.mounts.nfs 2>/dev/null` in *[1-9]*) # don't kill NFS @@ -249,6 +249,10 @@ if [ X"${pf}" != X"NO" ]; then if [ -f ${pf_rules} ]; then pfctl -f ${pf_rules} fi + # bring up pfsync after the working ruleset has been loaded + if [ -f /etc/hostname.pfsync0 ]; then + . /etc/netstart pfsync0 + fi fi mount -s /usr >/dev/null 2>&1 |