From owner-freebsd-pf@FreeBSD.ORG Thu Sep 8 14:27:59 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 42290106564A for ; Thu, 8 Sep 2011 14:27:59 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (106-30.3-213.fix.bluewin.ch [213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id 9A7988FC0C for ; Thu, 8 Sep 2011 14:27:58 +0000 (UTC) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id p88EARkQ020095 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Thu, 8 Sep 2011 16:10:27 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id p88EAQ0t026240; Thu, 8 Sep 2011 16:10:26 +0200 (MEST) Date: Thu, 8 Sep 2011 16:10:26 +0200 From: Daniel Hartmeier To: Dag-Erling Sm??rgrav Message-ID: <20110908141026.GB10185@insomnia.benzedrine.cx> References: <868vpzqjz2.fsf@ds4.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <868vpzqjz2.fsf@ds4.des.no> User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf@freebsd.org Subject: Re: route-to rule X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Sep 2011 14:27:59 -0000 On Thu, Sep 08, 2011 at 02:47:29PM +0200, Dag-Erling Sm??rgrav wrote: > According to the pf.conf(5) man page in FreeBSD 8.2, the address part of > but pf complains of a syntax error if I leave it out, so > > pass in on $lan2 route-to ($ext2) from ($lan2:network) > > doesn't work, while > > pass in on $lan2 route-to ($ext2 172.16.0.1) from ($lan2:network) > > does. The BNF syntax is slighty wrong, the parentheses are needed when both interface and address are specified. If only the interface is specified, no parentheses are needed or allowed, i.e. try pass in on $lan2 route-to $ext2 from ($lan2:network) > I realize that pf can't *know* the correct next-hop address for the > specified interface, but it can make a reasonable guess (first non-zero > address in $ext2:network), so hard-coding would only be required in > cases where the "reasonable guess" is incorrect or $ext2 has multiple IP > addresses. There is no guessing involved. If you specify the addresses, this address is used for an arp lookup, and the ethernet frame will have this IP address' MAC address as destination. If you don't specify the address, the destination IP address of the matching packet is used for the arp lookup instead! If that destination IP address is not local (i.e. must be sent through a next-hop), you MUST specify the next-hop address, or the packet will be dropped, as arp resolution will fail. So, specifying the next-hop address is not really "optional". You may even have to split a route-to rule into two separate rules (one with and the other without specifying the next-hop), when some (but not all) possibly matching destinations are local (arp resolvable). > so you can say > > { $lan1:network, $lan2:network } > > but not > > ! { $lan1:network, $lan2:network } The reason this is not supported is purely technical, as a single rule with an address list expands to multiple rules internally. And this particular construct would expand to the two rules pass ... from ! $lan1:network pass ... from ! $lan2:network which would match every possible source, not what any user whould ever expect the construct to do. More details on http://www.openbsd.org/faq/pf/macros.html search for "negated list". Short answer: usually an address table can be used instead of an address list, i.e. table const { $lan1:network $lan2:network } pass ... from ! Kind regards, Daniel