On 2016/09/07 16:33, Sebastien Marie wrote: > On Wed, Sep 07, 2016 at 01:14:45PM +0200, Sebastien Marie wrote: > > Hi, > > > > I upgraded my laptop (amd64) to latest snapshot, and I experiment odd > > network connectivity. > > > > in resume: > > - ping is ok (lan and internet) > > - udp is ok (lan and internet) - DNS is working > > - tcp isn't working (connect: no route to host) - tested with several > > tools: ssh(1), nc(1), or telnet(1) > > the problem is present for lan and internet addresses. > > > > I finally found the root of the issue: a racy syntax error in my pf.conf > > I used egress:network in a table in /etc/pf.conf. > > Regarding the boot process: > - set really strict pf rules (grep RULES /etc/rc for detail) > outgoing ping is allowed > outgoing DNS is allowed > outgoing tcp for ssh or http is BLOCKED > ... > > (it explains my network situation) > > - enable pf > - sh /etc/netstart > - pfctl -f /etc/pf.conf > > I experimented a race for "egress:network" between netstart and pfctl. > > Some times (not always), pfctl -f /etc/pf.conf exit with error: > no IP address found for egress:network > /etc/pf.conf:15 could not parse host specification > > leaving the system with default rules (which aren't suitable for generic > use). > > I am still unsure how the race occurs, if it is for "egress" interface > group, or for "egress:network" (addresses, not the group). > > As "egress" is generally used in /etc/pf.conf, I dunno if latest commits > makes the race hitable more easily, or if it is something else.
If an address is provided dynamically, it is usually better to defer address lookup to runtime e.g. by using "(egress:network)" instead of just "egress:network".
