use "!received-on any" to absolutely ensure that we're not forwarding

carp, rpc or nfs traffic in the initial ruleset active during network
startup for a short time (or a much longer time if /etc/pf.conf is
screwed up). ok phessler

1 files changed, 4 insertions, 3 deletions

diff --git a/etc/rc b/etc/rc
index eb7d7c74c16..599e99d13af 100644
--- a/etc/rc
+++ b/etc/rc
@@ -1,4 +1,4 @@
-#	$OpenBSD: rc,v 1.423 2014/03/15 22:13:36 sthen Exp $
+#	$OpenBSD: rc,v 1.424 2014/04/19 16:07:09 henning Exp $
 
 # System startup script run by init on autoboot
 # or after single-user.
@@ -336,13 +336,14 @@ if [ X"${pf}" != X"NO" ]; then
 		RULES="$RULES\npass out inet6 proto udp from any port dhcpv6-client to any port dhcpv6-server"
 		RULES="$RULES\npass in inet6 proto udp from any port dhcpv6-server to any port dhcpv6-client"
 	fi
-	RULES="$RULES\npass proto carp keep state (no-sync)"
+	RULES="$RULES\npass in proto carp keep state (no-sync)"
+	RULES="$RULES\npass out proto carp !received-on any keep state (no-sync)"
 	case `sysctl vfs.mounts.nfs 2>/dev/null` in
 	*[1-9]*)
 		# don't kill NFS
 		RULES="set reassemble yes no-df\n$RULES"
 		RULES="$RULES\npass in proto { tcp, udp } from any port { 111, 2049 } to any"
-		RULES="$RULES\npass out proto { tcp, udp } from any to any port { 111, 2049 }"
+		RULES="$RULES\npass out proto { tcp, udp } from any to any port { 111, 2049 } !received-on any"
 		;;
 	esac
 	echo $RULES | pfctl -f -