20-60 second retry is probably better than 10. Also when you start the script in /etc/rc.local you can run it at nice +20 or something so it isn't given cpu priority. And you can get a lot more sophisticated too, retrying more often just after the script starts and less often afterwords.
-Matt On Mon, Sep 5, 2016 at 4:50 AM, Richard Nyberg <[email protected]> wrote: > The script will be a useful workaround. Many thanks! > > Regards, > -Richard > > On 5 September 2016 at 07:35, Matthew Dillon <[email protected]> wrote: > > I have this problem too, its likely a bug in our PF implementation. > What I > > do is have a little script which I start in the background (using the > notty > > command) from /etc/rc.local which checks whether the DHCP assignment has > > changed on the interface and then reloads the PF rules if it has. > > > > To reload the rules: > > > > pfctl -d > > pfctl -F all > > pfctl -f /etc/pf.conf > > pfctl -e > > > > There are a few ways to detect whether the DHCP assignment has changed. > The > > easiest is for the script to save the output from the ifconfig command > > filtering for 'inet'. e.g. something like this: > > > > # set fubar1 to force initial reload > > # > > set fubar1 = "xx" > > > > while (1) > > set fubar2 = `ifconfig igb0 | fgrep inet` > > if ( "$fubar1" != "$fubar2" ) then > > (reload PF rules here) > > endif > > sleep 10 > > set fubar1 = "$fubar2" > > end > > > > Obviously not the best solution but it works as a monitor. > > > > I think PF is supposed to pick-up changes automatically when an > interface is > > specified like that, but our PF doesn't appear to. > > > > -Matt > > > > On Sun, Sep 4, 2016 at 2:33 AM, Richard Nyberg <[email protected]> > > wrote: > >> > >> Hello users, > >> > >> I've set up a df4.6 box as an internet gateway and samba fileserver at > >> home. It gets it's external IP address via dhcp on re0. The problem is > >> that after this machine has booted, I need to run "rcrestart pf". > >> Otherwise the machines on the internal network can't access the > >> internet. > >> > >> Any thought on this? The servers rc.conf and pf.conf are below. > >> > >> ### pf.conf begin > >> > >> ext_if="re0" > >> int_if="em0" > >> > >> scrub in > >> > >> nat on $ext_if from $int_if:network -> ($ext_if) > >> > >> block in > >> pass out keep state > >> > >> pass quick on { lo $int_if } > >> > >> pass in on $ext_if proto tcp to ($ext_if) port ssh keep state > >> pass in on $ext_if proto { tcp udp } to ($ext_if) port 51403 keep state > >> pass in on $ext_if proto { tcp udp } to ($ext_if) port 51413 keep state > >> > >> ### pf.conf end > >> > >> ### rc.conf begin > >> > >> powerd_enable="YES" > >> dntpd_enable="YES" > >> samba_enable="YES" > >> sshd_enable="YES" > >> > >> dbus_enable="YES" > >> avahi_daemon_enable="YES" > >> > >> dhcpd_enable="YES" > >> dhcpd_flags="-q" > >> dhcpd_conf="/usr/local/etc/dhcpd.conf" > >> dhcpd_ifaces="em0" > >> dhcpd_withumask="022" > >> > >> dumpdev="/dev/serno/S246J90Z339652.s1b" > >> > >> hostname="gorg.lan" > >> > >> ifconfig_re0="DHCP" > >> ifconfig_em0="inet 10.5.2.1 netmask 0xffffff00" > >> > >> gateway_enable="YES" > >> pf_enable="YES" > >> > >> ### rc.conf end > >> > >> Best regards, > >> -Richard > > > > >
