Add an rc.d script to start pfsync at the right moment of the

system boot, and hook it up in the system.

The separate script is needed because in the presence of various
interface lists in rc.conf ($network_interfaces, $cloned_interfaces,
$sppp_interfaces, $gif_interfaces, more to come) it is hard to start
them orderly, so that pfsync is brought up after its syncdev, which
is required for the proper startup of pfsync.

Discussed with:	mlaier on -pf
MFC after:	5 days

1 files changed, 21 insertions, 2 deletions

diff --git a/contrib/pf/man/pfsync.4 b/contrib/pf/man/pfsync.4
index 10fc5a6..abc81af 100644
--- a/contrib/pf/man/pfsync.4
+++ b/contrib/pf/man/pfsync.4
@@ -129,7 +129,25 @@ dedicated to pfsync messages such as a crossover cable between two firewalls,
 or specify a peer address and protect the traffic with
 .Xr ipsec 4 .
 .Pp
+For
+.Nm
+to start its operation automatically at the system boot time,
+.Va pfsync_enable
+and
+.Va pfsync_syncdev
+variables should be used in
+.Xr rc.conf 5 .
+It is not advisable to set up
+.Nm
+with common network interface configuration variables of
+.Xr rc.conf 5
+because
+.Nm
+must start after its
+.Cm syncdev ,
+which cannot be always ensured in the latter case.
 .\" XXX: not yet!
+.\" .Pp
 .\" There is a one-to-one correspondence between packets seen by
 .\" .Xr bpf 4
 .\" on the
@@ -167,14 +185,15 @@ indicated):
 Interfaces configuration in
 .Pa /etc/rc.conf :
 .Bd -literal -offset indent
+network_interfaces="lo0 sis0 sis1 sis2"
 cloned_interfaces="carp0 carp1"
-network_interfaces="lo0 sis0 sis1 sis2 carp0 carp1 pfsync0"
 ifconfig_sis0="10.0.0.254/24"
 ifconfig_sis1="192.168.0.254/24"
 ifconfig_sis2="192.168.254.254/24"
 ifconfig_carp0="vhid 1 pass foo 10.0.0.1/24"
 ifconfig_carp1="vhid 2 pass bar 192.168.0.1/24"
-ifconfig_pfsync0="up syncif sis2"
+pfsync_enable="YES"
+pfsync_syncdev="sis2"
 .Ed
 .Pp
 .Xr pf 4