From owner-freebsd-net@FreeBSD.ORG Thu Nov 27 14:00:17 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B028C1065676 for ; Thu, 27 Nov 2008 14:00:17 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 609618FC12 for ; Thu, 27 Nov 2008 14:00:17 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender; b=XNzavE+rEGrOliyiruUKB8sBcGdto5XmSHNxD45xBRszeFpDX0wWrcznU+OparoztklNCHR9QFjwtCD+K9iO2GU/+4LTf+dJDVFwTqEaw89sHARzc/LLiJ1Wd0Fx9ohpLg2Kn77qKZgMBVuVxr9KO/ijCvzcLR2fyDuWrxRXl80=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1L5hPk-000NUw-CC; Thu, 27 Nov 2008 17:00:16 +0300 Date: Thu, 27 Nov 2008 17:00:15 +0300 From: Eygene Ryabinkin To: Kevin Foo Message-ID: References: <25cb30811270426i6b5cc4c2s49030f64d06b0ec8@mail.gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="0qVF/w3MHQqLSynd" Content-Disposition: inline In-Reply-To: <25cb30811270426i6b5cc4c2s49030f64d06b0ec8@mail.gmail.com> Sender: rea-fbsd@codelabs.ru Cc: freebsd-net@freebsd.org, freebsd-pf@freebsd.org Subject: Re: if_bridge + pf rdr (bridged inline proxy) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Nov 2008 14:00:17 -0000 --0qVF/w3MHQqLSynd Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Kevin, good day. Thu, Nov 27, 2008 at 08:26:55PM +0800, Kevin Foo wrote: > I recently setup a bridge box with inline cache proxy. if_bridge with > pf filtering was working perfectly. However, squid-cache listening on > loopback device did not get any packets from pf rdr. I have seen > successful setups with OpenBSD's bridge spamd which rather a similar > setup. Is something broken on FreeBSD's if_bridge or am I missing some > configuration here? pf can 'rdr' only incoming packets (from 'man pf.conf'): ----- Evaluation order of the translation rules is dependent on the type of = the translation rules and of the direction of a packet. binat rules are always evaluated first. Then either the rdr rules are evaluated on an inbound packet or the nat rules on an outbound packet. Rules of the s= ame type are evaluated in the same order in which they appear in the rules= et. The first matching rule decides what action is taken. ----- So this can be just pf-related. And may be not, as usual... --=20 Eygene _ ___ _.--. # \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard / ' ` , __.--' # to read the on-line manual =20 )/' _/ \ `-_, / # while single-stepping the kernel. `-'" `"\_ ,_.-;_.-\_ ', fsc/as # _.-'_./ {_.' ; / # -- FreeBSD Developers handbook=20 {_.-``-' {_/ # --0qVF/w3MHQqLSynd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iEYEARECAAYFAkkup+8ACgkQthUKNsbL7YjIJQCff20fjLaHQ7j5sscSdcUBElK+ trQAn3cHJZVTVJ1LcWbrjjH0fgWUQ7bU =rd2z -----END PGP SIGNATURE----- --0qVF/w3MHQqLSynd--