Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 08 Sep 2011 14:47:29 +0200
From:      =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To:        freebsd-pf@freebsd.org
Subject:   route-to rule
Message-ID:  <868vpzqjz2.fsf@ds4.des.no>
next in thread | raw e-mail | index | archive | help 
According to the pf.conf(5) man page in FreeBSD 8.2, the address part of
the route-to destination is optional:

     route          =3D ( "route-to" | "reply-to" | "dup-to" )
                      ( routehost | "{" routehost-list "}" )
                      [ pooltype ]
     routehost      =3D "(" interface-name [ address [ "/" mask-bits ] ] ")"
     routehost-list =3D routehost [ [ "," ] routehost-list ]


but pf complains of a syntax error if I leave it out, so

 pass in on $lan2 route-to ($ext2) from ($lan2:network)

doesn't work, while

 pass in on $lan2 route-to ($ext2 172.16.0.1) from ($lan2:network)

does.

I realize that pf can't *know* the correct next-hop address for the
specified interface, but it can make a reasonable guess (first non-zero
address in $ext2:network), so hard-coding would only be required in
cases where the "reasonable guess" is incorrect or $ext2 has multiple IP
addresses.

Also, there does not seem to be a way to complement a host-list:

     hosts          =3D "all" |
                      "from" ( "any" | "no-route" | "urpf-failed" | "self" =
| host |
                      "{" host-list "}" | "route" string ) [ port ] [ os ]
                      "to"   ( "any" | "no-route" | "self" | host |
                      "{" host-list "}" | "route" string ) [ port ]
     host           =3D [ "!" ] ( address [ "/" mask-bits ] | "<" string ">=
" )
     host-list      =3D host [ [ "," ] host-list ]

so you can say

 { $lan1:network, $lan2:network }

but not

 ! { $lan1:network, $lan2:network }

As a result, a rule such as=20

 pass in on $lan2 route-to ($ext2 172.16.0.1) from ($lan2:network) to !$lan=
2:network

means that traffic from $lan2:network to $lan1:network will be routed
through $ext2 instead of going directly to $lan1.  I can add explicit
route-to rules to circumvent that, but I'd much rather use something
like this:

 pass in on $lan2 route-to ($ext2 172.16.0.1) from ($lan2:network) to ! { $=
lan1:network, $lan2:network }

(I checked Reed's book and both edition of Hansteen's, but Reed makes no
sense, and Hansteen doesn't mention route-to at all)

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?868vpzqjz2.fsf>