Re: When should pf reload (if:network) rules?

[Cedric Berger <cedric@berger.to>]

Sitsofe Wheeler wrote:
> Hello,
> 
> At the moment pf on OpenBSD 3.5 does a great job of automatically
> reloading parenthesised interface rules when an address of that
> interface changes and this works well. However I have the following
> rule:
> 
> pass out quick on $int_if from any to ($int_if:network)
> 
> When pf is loaded this rule matches the interface's initial set of
> network addresses. However, after pf is running an ipv6 alias is added
> to the $int_if interface but despite being in parenthesis the rule is
> not reloaded. I'm wondering whether (:network) should cause a rule
> reload when an interface's alias list changes...

I think that the problem is not with :network, but with all IPv6
addresses. Unless I'm mistaken, the dohooks() calls are missing there.

Could you try this completely untested patch to see if it solves
your problem (apply patch by hand with "vi")?

Cedric

Index: in6.c
===================================================================
RCS file: /cvs/src/sys/netinet6/in6.c,v
retrieving revision 1.59
diff -u -r1.59 in6.c
--- in6.c       24 Aug 2004 02:57:33 -0000      1.59
+++ in6.c       25 Sep 2004 08:30:37 -0000
@@ -777,6 +777,7 @@
                 return ((*ifp->if_ioctl)(ifp, cmd, data));
         }

+       dohooks(ifp->if_addrhooks, 0);
         return (0);
  }