pf rules are dropped on lan when no connected and linkup event occurs on other interface

[jschellevis]

This issue occurs when one would unplug the lan cable and plugin another network cable in another port causing a linkup. In that case the pf rules for the LAN interface are lost.

Test scenario:

em0: LAN, 192.168.1.1/24 + DHCP server 192.168.1.100-200
em1: WAN dhcp client
em2: DMZ, 192.168.2.1/24 + DHCP server 192.168.2.100-200 (also tested with static ip, same result)

Connect your pc to LAN (em0), you will receive an IP adres from the server and the rules list:

pfctl -sr | grep em0

scrub on em0 all fragment reassemble
block drop in log on ! em0 inet from 192.168.1.0/24 to any
block drop in log on em0 inet6 from fe80::1:1 to any
pass in quick on em0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on em0 inet proto udp from any port = bootpc to 192.168.1.1 port = bootps keep state label "allow access to DHCP server"
pass out quick on em0 inet proto udp from 192.168.1.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
pass quick on em0 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
pass quick on em0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
pass quick on em0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
pass quick on em0 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
pass in quick on em0 proto tcp from any to (em0) port = https flags S/SA keep state label "anti-lockout rule"
pass in quick on em0 proto tcp from any to (em0) port = http flags S/SA keep state label "anti-lockout rule"
pass in quick on em0 inet from 192.168.1.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"

Unplug LAN cable and put it into DMZ, wait until you get an IP adres and look at the rule set again:

pfctl -sr | grep em0

No ALTQ support in kernel
ALTQ related functions disabled
scrub on em0 all fragment reassemble
pass in quick on em0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass quick on em0 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
pass quick on em0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
pass quick on em0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
pass quick on em0 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
pass in quick on em0 proto tcp from any to (em0) port = https flags S/SA keep state label "anti-lockout rule"
pass in quick on em0 proto tcp from any to (em0) port = http flags S/SA keep state label "anti-lockout rule"

NOTICE: We lost the Default allow LAN to any rule.. same thing happening with other rules if configured.

[AdSchellevis]

Tested with 288bc8c and it looks like it solved when using this fix.
There are a few more possible races with cached values and global variables which we should probably cleanup. Will close this issue after the final cleanups are done.