Date: Mon, 10 Nov 2014 13:36:16 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 194925] New: [pf] [ifconfig] interface group keywords do not work by default Message-ID: <bug-194925-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D194925 Bug ID: 194925 Summary: [pf] [ifconfig] interface group keywords do not work by default Product: Base System Version: 10.0-RELEASE Hardware: Any OS: Any Status: Needs Triage Severity: Affects Many People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: feld@FreeBSD.org pf offers the ability to use interface groups to build dynamic rules or to simplify your ruleset. It also makes them more portable to other servers wh= ich might have different interface names, etc. While testing my firewall with FreeBSD instead of OpenBSD I was having a lot of trouble with my rules unti= l I identified that the group keywords were not working.=20 >From FreeBSD's pf.conf(5): on <interface> This rule applies only to packets coming in on, or going out through, this particular interface or interface group. For mo= re information on interface groups, see the group keyword in ifconfig(8). any will match any existing interface except loopback ones. So our ifconfig needs to support groups, which it appears to do according to our ifconfig(8): group group-name Assign the interface to a =E2=80=9Cgroup=E2=80=9D. Any interf= ace can be in mul=E2=80=90 tiple groups. Cloned interfaces are members of their interface family group = by default. For example, a PPP interface such as ppp0 is a member of the PPP interface family group, ppp. The problem appears to be that we do not have interfaces in groups by defau= lt. OpenBSD has the following in their ifconfig(8): Some interfaces belong to specific groups by default: - All interfaces are members of the all interface group. - Cloned interfaces are members of their interfa= ce family group. For example, a PPP interface su= ch as ppp0 is a member of the ppp interface family group. - pppx(4) interfaces are members of the pppx interface group. - The interface(s) the default route(s) point to are members of the egress interface group. - IEEE 802.11 wireless interfaces are members of the wlan interface group. - Any interfaces used for network booting are members of the netboot interface group. As I learned the hard way, the following rule will not work without additio= nal configuration: pass in quick on egress inet proto tcp from any to (egress) port 80 If I manually add the egress keyword to an interface it appears to work, but doesn't show up in ifconfig output. You have to explicitly request group members which is confusing. vm# ifconfig vtnet0 group egress vm# ifconfig vtnet0 vtnet0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1= 500 =20=20=20=20=20=20=20 options=3D6c03bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSU= M,TSO4,TSO6,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> ether 52:54:00:4e:65:cf inet 108.61.119.181 netmask 0xffffff00 broadcast 108.61.119.255 inet6 fe80::5054:ff:fe4e:65cf%vtnet0 prefixlen 64 scopeid 0x1 inet6 2001:19f0:5c00:8014::64 prefixlen 64 nd6 options=3D23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL> media: Ethernet 10Gbase-T <full-duplex> status: active vm# ifconfig -g egress vtnet0 vs OpenBSD's ifconfig output which clearly states the groups (except "all"): $ ifconfig re0 re0: flags=3D28843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6> mtu 1500 lladdr 00:0d:b9:34:19:5c description: charter priority: 0 groups: egress media: Ethernet autoselect (1000baseT full-duplex,master,rxpause,txpause) status: active inet 68.117.126.78 netmask 0xfffffffc broadcast 68.117.126.79 The keywords do work once you manually add them to interfaces, but specific= ally the concept of the "egress" and "ingress" keywords are defeated without them being dynamically added to interfaces. It would be nice if we could improve= the ifconfig output and also dynamically add interfaces to some sane default groups. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-194925-8>