Date: Sun, 19 Mar 2006 17:05:25 +0100 (CET) From: Gergely CZUCZY <phoemix@harmless.hu> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/94694: pf don't follow IP changes on IF-defined rules Message-ID: <20060319160525.DC38FBDCC@trillian.harmless.hu> Resent-Message-ID: <200603191600.k2JG0kXZ095074@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 94694 >Category: kern >Synopsis: pf don't follow IP changes on IF-defined rules >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Mar 19 16:00:45 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Gergely CZUCZY >Release: FreeBSD 6.0-STABLE i386 >Organization: none >Environment: FreeBSD beeblebrox.harmless.lan 6.0-STABLE FreeBSD 6.0-STABLE #1: Wed Feb 1 22:18:02 CET 2006 root@beeblebrox.harmless.lan:/usr/obj/usr/src/sys/BEEBLEBROX i386 >Description: If you have a rule in you're pf configuration where you specify the interface's name, and the IP address of the IF is changed by the time(think of dynamic-IP DSLs) the resolved IP address of the interface in the ruleset is not updated. in my case, the rule is as follows: --- chop with axe here --- if_ppp="tun0" nat on $if_ppp from <natnets> to !10.0.0.0/8 -> $if_ppp --- chop with axe here --- on config file loading it's resolved to: --- chop with axe here --- nat on tun0 inet from <natnets> to ! 10.0.0.0/8 -> 213.178.112.51 --- chop with axe here --- the IP address of the interface is resolved. when my PPP connection is terminated by my ISP, and it reconnects, it may get a different IP address. in these cases the already loaded ruleset will not follow the change in the interface's address >How-To-Repeat: 1) apply a rule to pf, where you specify the ip address by the name of the interface 2) change the IP address of that IF 3) the IP address in the loaded ruleset will remain the same >Fix: i don't have a fix. i reload the ruleset by hand on these times, but this is not a solution. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060319160525.DC38FBDCC>