From owner-freebsd-pf@FreeBSD.ORG Thu Sep 8 13:05:51 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DAAAD1065676 for ; Thu, 8 Sep 2011 13:05:51 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 9FC368FC0A for ; Thu, 8 Sep 2011 13:05:51 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id A00D91FFC35 for ; Thu, 8 Sep 2011 12:47:29 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 60A2484530; Thu, 8 Sep 2011 14:47:29 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: freebsd-pf@freebsd.org Date: Thu, 08 Sep 2011 14:47:29 +0200 Message-ID: <868vpzqjz2.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: route-to rule X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Sep 2011 13:05:51 -0000 According to the pf.conf(5) man page in FreeBSD 8.2, the address part of the route-to destination is optional: route =3D ( "route-to" | "reply-to" | "dup-to" ) ( routehost | "{" routehost-list "}" ) [ pooltype ] routehost =3D "(" interface-name [ address [ "/" mask-bits ] ] ")" routehost-list =3D routehost [ [ "," ] routehost-list ] but pf complains of a syntax error if I leave it out, so pass in on $lan2 route-to ($ext2) from ($lan2:network) doesn't work, while pass in on $lan2 route-to ($ext2 172.16.0.1) from ($lan2:network) does. I realize that pf can't *know* the correct next-hop address for the specified interface, but it can make a reasonable guess (first non-zero address in $ext2:network), so hard-coding would only be required in cases where the "reasonable guess" is incorrect or $ext2 has multiple IP addresses. Also, there does not seem to be a way to complement a host-list: hosts =3D "all" | "from" ( "any" | "no-route" | "urpf-failed" | "self" = | host | "{" host-list "}" | "route" string ) [ port ] [ os ] "to" ( "any" | "no-route" | "self" | host | "{" host-list "}" | "route" string ) [ port ] host =3D [ "!" ] ( address [ "/" mask-bits ] | "<" string ">= " ) host-list =3D host [ [ "," ] host-list ] so you can say { $lan1:network, $lan2:network } but not ! { $lan1:network, $lan2:network } As a result, a rule such as=20 pass in on $lan2 route-to ($ext2 172.16.0.1) from ($lan2:network) to !$lan= 2:network means that traffic from $lan2:network to $lan1:network will be routed through $ext2 instead of going directly to $lan1. I can add explicit route-to rules to circumvent that, but I'd much rather use something like this: pass in on $lan2 route-to ($ext2 172.16.0.1) from ($lan2:network) to ! { $= lan1:network, $lan2:network } (I checked Reed's book and both edition of Hansteen's, but Reed makes no sense, and Hansteen doesn't mention route-to at all) DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no