Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 18 Jan 2005 16:00:47 +0100
From:      Eric Masson <e-masson@kisoft-services.com>
To:        Max Laier <max@love2party.net>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: pf & clonable devices
Message-ID:  <86pt026au8.fsf@srvbsdnanssv.interne.kisoft-services.com>
In-Reply-To: <200501181350.21488.max@love2party.net> (Max Laier's message of "Tue, 18 Jan 2005 13:50:13 %2B0100")
References:  <86k6qcynus.fsf@srvbsdnanssv.interne.kisoft-services.com> <86r7kj3x2b.fsf@srvbsdnanssv.interne.kisoft-services.com> <86ekgi9avj.fsf@srvbsdnanssv.interne.kisoft-services.com> <200501181350.21488.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

>>>>> "Max" == Max Laier <max@love2party.net> writes:

 Max> Okay, that hints that the NAT-rule is to blame.

Seems to.

 Max> Can you check the output of "$pfctl -vvsn" after a reconnect, but
 Max> before issuing a ruleset reload? This looks a bit like PR
 Max> kern/69954, in which case you might want to try to write your
 Max> nat-rule as:

 Max> nat on $ext_if from $int_if:network to any -> ($ext_if:0)

Ok, further refinement, on machine boot, pf refuses to load rules
because interface ppp0 doesn't exist (Thanks to dmesg -a, this box is
headless)

Once pppd has started pfctl -vvsn gives the following results :
No ALTQ support in kernel
ALTQ related functions disabled

Result expected as no nat rules reference ppp0 interface, sigh...

After pfctl -F all -f /etc/pf.conf, pfctl -vvsn gives the following
results :
No ALTQ support in kernel
ALTQ related functions disabled
@0 nat on ppp0 inet from 192.168.1.0/24 to any -> (ppp0:0)
  [ Evaluations: 209       Packets: 236       Bytes: 149822      States: 3     ]

After that, shutdown of pppd processes, removal of pppX interfaces and
startup of pppd processes, then traffic flows fine and is correctly
nat'ed.

So, your fix seems to be fine :)

The next question concerns PF support for clonable interfaces that do
not exist at pf startup. Is this a feature that could be added or do I
need to mess with anchors in ip-up/ip-down scripts ?

Éric

-- 
 Pourquoi les internautes français ce mobiliseraient pas pour se regrouper
 un société ou association pour pouvoir avoir des numéro vert  Il faudrait
 que louer les lignes téléphoniques à FT et on ne paierai qu'un abonnement
 -+- BT in : Guide du Neuneu Usenet - Neuneu se met au vert -+-

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86pt026au8.fsf>