/etc/rc: pf vs. dhclient ... lockd, too

I'm running OpenBSD-3.0 on an AlphaStation 200 4/233.

I've recently moved from an ISDN line to a 'net spigot provided by my cable company. In the ISDN days, my connection was managed by a NetGear router. It handled the ISDN line and most all of the packet mangling I wanted, filters and NAT and such. What with a cable modem to handle the link, I now mangle packets with OpenBSD and pf.

The cable co hands out IP addrs via DHCP, so I must run both dhclient and pf. They don't play very nicely together: the default "block in all / block out all" pf rules in /etc/rc kills the DHCP and ICMP packets dhclient needs to obtain a lease.

Here's a patch that adds RULES to /etc/rc that let dhclient do its thing. It works for me, but I think it should be considered as an illustration of what needs fixing rather than as a "swear to God, this is the right way to do it." I'm not at all sure, eg, what the preferred method of grotting through the hostname.if files in /etc should be. /etc/netstart came to mind, but cut-n-paste didn't seem like the right thing.

Oh, and the patch also changes lockd_flags from a boolean into a set of real flags, useful for debugging NFS locks as in "lockd_flags=-d".

This patch is against /etc/rc version 1.185 distributed w/ OpenBSD-3.0.

Should I submit this via 2X sendbug? One for lockd, one for RULES?

Chris <jepeway@blasted-heath.com>.

• rc Sun Aug 18 12:08:44 2002 +++ /tmp/rc Mon Nov 25 12:35:56 2002 @@ -125,6 +125,23 @@ RULES="$RULES\npass out proto udp from any to any port { 111, 2049 }" ;; esac
  + hnif=
  + for hn in /etc/hostname.* ; do
  + case $hn in
  + /etc/hostname.[A-Za-z]*[0-9])
  + # check this if for dhcp
  + hnif="$hnif $hn"
  + ;;
  + esac
  + done
  + if [ ! -z "$hnif" ] && grep > /dev/null 2>&1 ^dhcp $hnif ; then
  + # don't kill DHCP/BOOTP
  + RULES="$RULES\npass in proto udp from any port bootps to any port bootpc"
  + RULES="$RULES\npass out proto udp from any port bootpc to any port bootps"
  + # dhclient-script checks the router
  + # with ping, so enable echo requests
  + RULES="$RULES\npass out inet proto icmp all icmp-type echoreq keep state"
  + fi
  echo $RULES | pfctl -R - -e fi

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related openbsd.org Links advocacy announce bugs ipv6 misc ports ports-changes security-announce smp source-changes tech Request more information about Pantek

@@ -272,8 +289,8 @@

 	echo -n > /var/db/mountdtab
 	echo -n ' mountd';		mountd
 	echo -n ' nfsd';		nfsd ${nfsd_flags}
-	if [ X${lockd} = X"YES" ]; then
-		echo -n ' rpc.lockd';	rpc.lockd


+	if [ X"${lockd_flags}" != X"NO" ]; then


+		echo -n ' rpc.lockd';	rpc.lockd ${lockd_flags}


 	fi