From owner-freebsd-pf@freebsd.org Mon Oct 12 14:29:10 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 27174A11B5D for ; Mon, 12 Oct 2015 14:29:10 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0085.outbound.protection.outlook.com [157.56.111.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "MSIT Machine Auth CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BFC61A6D for ; Mon, 12 Oct 2015 14:29:09 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from SN1PR08MB1821.namprd08.prod.outlook.com (10.162.134.27) by SN1PR08MB1440.namprd08.prod.outlook.com (10.162.1.25) with Microsoft SMTP Server (TLS) id 15.1.293.16; Mon, 12 Oct 2015 14:29:01 +0000 Received: from SN1PR08MB1821.namprd08.prod.outlook.com (10.162.134.27) by SN1PR08MB1821.namprd08.prod.outlook.com (10.162.134.27) with Microsoft SMTP Server (TLS) id 15.1.293.16; Mon, 12 Oct 2015 14:28:59 +0000 Received: from SN1PR08MB1821.namprd08.prod.outlook.com ([10.162.134.27]) by SN1PR08MB1821.namprd08.prod.outlook.com ([10.162.134.27]) with mapi id 15.01.0293.007; Mon, 12 Oct 2015 14:28:59 +0000 From: David DeSimone To: =?iso-8859-2?Q?Mi=B3osz_Kaniewski?= CC: "freebsd-pf@freebsd.org" Subject: RE: Creating span interface using 'dup-to' option Thread-Topic: Creating span interface using 'dup-to' option Thread-Index: AQHRBBZBj6sHygwHgUak+P25r9gNgJ5n6ycQ Date: Mon, 12 Oct 2015 14:28:58 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=ddesimone@verio.net; x-originating-ip: [173.71.11.10] x-microsoft-exchange-diagnostics: 1; SN1PR08MB1821; 5:FHG77Izud4EbQJtjKcqFErV43OI3hZz3O6W2DCPt1E0jTbfqQaGF9FBWtCZB9Kwpwy4X95+4MUL4mY/oqFYiCv+nJd2JbmHP1FHsSRMdRks1zCg5dnes9cUSRFT0eETo2cl0HpG+1VGPaztLTINiBw==; 24:g9LRJ5f66ZHlxzYFMtxANJ66lLhV1d5Se2w53af0QRFYrXOukFyCI3FhVJJp4MfwEWUXoUh1BXi8o3/91eOqzkepGDD00Z7rQbAFF+lNYk4=; 20:gtlFvalj+BpEiaz67Feoreah2nCfwMcE+eJvCBjkn65bfGilbp4hAYfyPcTirA0kYkinogWnI9EFCa/IClgIJw== x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(42134001)(42139001); SRVR:SN1PR08MB1821; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(520078)(5005006)(3002001); SRVR:SN1PR08MB1821; BCL:0; PCL:0; RULEID:; SRVR:SN1PR08MB1821; x-forefront-prvs: 0727122FC6 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(377454003)(13464003)(199003)(189002)(19580405001)(101416001)(2900100001)(5007970100001)(40100003)(46102003)(5004730100002)(5001960100002)(11100500001)(122556002)(54356999)(64706001)(19580395003)(92566002)(5008740100001)(81156007)(33656002)(2950100001)(50986999)(97736004)(66066001)(76176999)(74316001)(86362001)(99286002)(76576001)(106356001)(10400500002)(77096005)(87936001)(15975445007)(110136002)(5890100001)(5003600100002)(189998001)(5002640100001)(102836002)(106116001)(105586002); DIR:OUT; SFP:1101; SCL:1; SRVR:SN1PR08MB1821; H:SN1PR08MB1821.namprd08.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: verio.net does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Oct 2015 14:28:58.9650 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 281c3918-264a-4db4-ab20-2dafa1dca324 X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR08MB1821 X-Microsoft-Exchange-Diagnostics: 1; SN1PR08MB1440; 2:OxU4LgdlbOzn9PmFDDZbTJh+pUSY5qJfXQJg1vS1swDZ52StwIlno6AVIITBWJcuSVJCeSoUKjcyziz0vbqpTuug+/NF4SUuPyPX50KKXfqTK0hC/NAeZ6y+HWazs+zzEG/FRtDNBnE27Ol7u+V29kzkGYWL25NssbYB2SiQhq0=; 23:xq8baTmWbEoSWhCQhtux7pwx2UQfEKhLmKvhr04sQvrYsDuWP9pePM7yiKnPbTmyhjZkCg56MbGZFiKtq2v/h9teKXHEaNKxmVyFoM/75ZJBoLJ5cLPZ6XOKbEXN0Q9SE+sMaG76WowKSWbRgmubwQhKU513qEKvVgzqnlgBOnkBCtMK2i0ADI4NEplcYD0z X-OriginatorOrg: verio.net X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Oct 2015 14:29:10 -0000 The man page makes it clear that "dup-to" acts just like "route-to", except= that the original packet still routes the way it would have. The implicat= ion being that "dup-to" needs to determine where to route the new packet. This means that the more useful form of this is likely to be: pass out on em0 dup-to ( em2 X.X.X.X ) no state Where "X.X.X.X" is the IP of the host connected via em2 that will be receiv= ing the duplicated packet. The difference between using a bridge to accomplish this, vs. pf, is that p= f operates at layer 3 and will not preserve the layer 2 mac headers, wherea= s bridge will preserve these. Hopefully this will fit your requirements. -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On= Behalf Of Milosz Kaniewski Sent: Sunday, October 11, 2015 6:16 AM To: freebsd-pf@freebsd.org Subject: Creating span interface using 'dup-to' option uname -a: FreeBSD freebsd11_master.kvm 11.0-CURRENT FreeBSD 11.0-CURRENT #0 r285616: Thu Jul 16 02:21:59 UTC 2015 root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 +----------+ +-----------+ +----------+ | | em0| |em1 | | | host1 +--------+ FreeBSD +--------+ host2 | | | | | | | +----------+ +-----------+ +----------+ |em2 | | v Hi, I have FreeBSD machine which forwards packets between host1 and host2. This machine has also an additional interface (em2) which act as span interface - all traffic between host1 and host2 is copied into it. To achieve this scenario I can set bridge with em0 and em1 as members and em2 as span interface. But I would like to get same result using pf instead. So I tried to use this rules: pass out on em0 dup-to em2 no state pass out on em1 dup-to em2 no state But it doesn't work. No packets appear on interface em2. I've checked same configuration on OpenBSD and everything worked well. Is there any difference in setting dup-to rule in FreeBSD and OpenBSD pf? Thanks for help. Best regards. _______________________________________________ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" ________________________________ This email message is intended for the use of the person to whom it has bee= n sent, and may contain information that is confidential or legally protect= ed. If you are not the intended recipient or have received this message in = error, you are not authorized to copy, distribute, or otherwise use this me= ssage or its attachments. Please notify the sender immediately by return e-= mail and permanently delete this message and any attachments. makes no warr= anty that this email is error or virus free. Thank you. ________________________________ This email message is intended for the use of the person to whom it has bee= n sent, and may contain information that is confidential or legally protect= ed. If you are not the intended recipient or have received this message in = error, you are not authorized to copy, distribute, or otherwise use this me= ssage or its attachments. Please notify the sender immediately by return e-= mail and permanently delete this message and any attachments. NTT America m= akes no warranty that this email is error or virus free. Thank you. ________________________________