From owner-freebsd-pf@FreeBSD.ORG Thu Sep 27 20:14:47 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9ECA316A417 for ; Thu, 27 Sep 2007 20:14:47 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [IPv6:2001:6f8:1098::2]) by mx1.freebsd.org (Postfix) with ESMTP id 318A713C447 for ; Thu, 27 Sep 2007 20:14:46 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id l8RKEjVg010110 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Thu, 27 Sep 2007 22:14:45 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id l8RKEipe016669; Thu, 27 Sep 2007 22:14:44 +0200 (MEST) Date: Thu, 27 Sep 2007 22:14:44 +0200 From: Daniel Hartmeier To: David Verzolla Message-ID: <20070927201444.GI32278@insomnia.benzedrine.cx> References: <94CADB570ACCB0418E8236C8F24BD95C015FB50B@VIRTUALEXCHANGE.corp.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <94CADB570ACCB0418E8236C8F24BD95C015FB50B@VIRTUALEXCHANGE.corp.com> User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf@freebsd.org Subject: Re: Rule doubt X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Sep 2007 20:14:47 -0000 On Thu, Sep 27, 2007 at 01:24:45PM -0300, David Verzolla wrote: > Its possible creates a rule that can match all the traffic designated to an specific interface? > > Example: > > pass in on $vlan10 from to (the interface, not the address) $ext_if > > The $ext_if:network doesn't works for me. Not with the "to" keyword. That keyword always means "compare the destination IP address of the packet with ...", it never means "compare the interface the packet would be routed out to", even if the English language might allow for both meanings. At the point in time when pf filters an incoming packet, the routing table has not been consulted yet, and it is not yet decided what the outgoing interface will be[1]. Assuming what you want to express is "pass in on $vlan10 packets that will get routed out on $ext_if (no matter what the destination IP address of the packet is)", you can use the "tag"/"tagged" keywords for that, i.e. pass in all packets on $vlan10 and tag them. Then filter so tagged packets on all possible outgoing interfaces, and only allow them on $ext_if. With a known static routing table, this is usually not necessary, as the destination IP address will determine the outgoing interface, and restricting based on the IP address with "to" will suffice. Daniel [1] In OpenBSD, there are "route labels". You can assign labels to routing table entries. Then filter incoming packets based on the label of the matching routing table entry (forcing an early lookup), like in pass in on $vlan10 to route