PF How to handle PF rules for process launching after PF (openvpn for example)?

[patpro]

Hello,

On various servers, I'm facing problems with processes like security/openvpn or Jails and their interaction with pf(4).

They require specific rules involving network interface or IP address that do not exists yet on the system when pf(4) starts. Hence for security/openvpn I've got this at boot time:

/etc/pf.conf:124: could not parse host specification
/etc/pf.conf:125: could not parse host specification
pfctl: Syntax error in config file: pf rules not loaded

where lines 124-125 are:

pass in  on $vpn_if from $vpn_if:network to any keep state
pass out on $vpn_if from any to $vpn_if:network keep state

vpn_if is tun0, and it's created when security/openvpn starts... after pf(4).

And network services running on Jails remain unreachable until I restart pf(4), because - I guess - pf(4) has already loaded a description of my network interface that does not include Jails IP addresses.

For now, I'm using this work around:

# grep reboot /etc/crontab 
@reboot                    root    sleep 5 & pfctl -f /etc/pf.conf

This is so ugly.
Is there a proper way to handle this kind of problem?

 

[SirDice]

OpenVPN can run an "up" and "down" script when the interface goes up and down. You can use that to reload pf(4) and/or load additional rules.

 

[asteriskRoss]

What you want to do is similar to Beeblebrox in Thread create-pre-cloned-interface-for-virtualbox.50421. devd(8) can execute actions in response to devices being added or removed. PF provides anchors as placeholders for rulesets that can then be changed dynamically; look at the pf.conf(5) and pfctl(8)man pages.

 

[patpro]

Thank you both for your replies.
Looking for more information about OpenVPN up/down scripts, I've stumbled upon another post dealing with the same problem and I've understood my mistake: I need to put parenthesis around network specifications:

wrong:

pass in on $vpn_if from $vpn_if:network to any keep state
pass out on $vpn_if from any to $vpn_if:network keep state

right:

pass in on $vpn_if from ($vpn_if:network) to any keep state
pass out on $vpn_if from any to ($vpn_if:network) keep state

With ($vpn_if:network) instead of $vpn_if:network, pf(4) correctly loads its rules at boot time. I still have to test OpenVPN, but I'm pretty confident it'll be ok.
I think I might use the same syntax for my Jail host config, but it's production, so I'll give it a try after my vacation. And if it does not work, I'll try something with devd.

edit: Damn. I've been too much confident ;/
OpenVPN related rules in pf.conf don't break pf(4) startup at boot time, but still they won't function unless I reload pf(4) after OpenVPN has started. I'll take a look at up/down scripts.