Date: Mon, 15 Nov 2021 04:09:29 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 259840] pf: matching both receive and xmit interface in single rule Message-ID: <bug-259840-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D259840 Bug ID: 259840 Summary: pf: matching both receive and xmit interface in single rule Product: Base System Version: 12.2-STABLE Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: ozkan.kirik@gmail.com I'm looking for a solution to match a traffic received on igb0 and xmit on igb1. According to man page, ipfw(8) supports this syntax: ipfw add deny ip from any to any out recv ed0 xmit ed1 The recv interface can be tested on either incoming or outgoing packets, while the xmit interface can only be tested on outgoing packets. So out is required (and in is invalid) whenever xmit is used. I used an workaround for this requirement: - pass quick in on igb0 all keep state (if-bound) tag rule1_IN_IGB0 - pass quick out on igb1 all tagged rule1_IN_IGB0 keep state (if-bound) But this syntax has disadvantages: - if tags used for NAT, one of the tags will be lost Because of pf has only single tag support. - reading and writing of rules become complicated Is it possible to add support for this feature like ipfw or alternatively is it possible to have a separate tag for nat tag? Regards --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-259840-227>