From owner-freebsd-bugs@FreeBSD.ORG Mon Nov 10 13:36:16 2014 Return-Path: Delivered-To: freebsd-bugs@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BF382626 for ; Mon, 10 Nov 2014 13:36:16 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A09122BA for ; Mon, 10 Nov 2014 13:36:16 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id sAADaGpN080204 for ; Mon, 10 Nov 2014 13:36:16 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 194925] New: [pf] [ifconfig] interface group keywords do not work by default Date: Mon, 10 Nov 2014 13:36:16 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: feld@FreeBSD.org X-Bugzilla-Status: Needs Triage X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Nov 2014 13:36:16 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D194925 Bug ID: 194925 Summary: [pf] [ifconfig] interface group keywords do not work by default Product: Base System Version: 10.0-RELEASE Hardware: Any OS: Any Status: Needs Triage Severity: Affects Many People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: feld@FreeBSD.org pf offers the ability to use interface groups to build dynamic rules or to simplify your ruleset. It also makes them more portable to other servers wh= ich might have different interface names, etc. While testing my firewall with FreeBSD instead of OpenBSD I was having a lot of trouble with my rules unti= l I identified that the group keywords were not working.=20 >From FreeBSD's pf.conf(5): on This rule applies only to packets coming in on, or going out through, this particular interface or interface group. For mo= re information on interface groups, see the group keyword in ifconfig(8). any will match any existing interface except loopback ones. So our ifconfig needs to support groups, which it appears to do according to our ifconfig(8): group group-name Assign the interface to a =E2=80=9Cgroup=E2=80=9D. Any interf= ace can be in mul=E2=80=90 tiple groups. Cloned interfaces are members of their interface family group = by default. For example, a PPP interface such as ppp0 is a member of the PPP interface family group, ppp. The problem appears to be that we do not have interfaces in groups by defau= lt. OpenBSD has the following in their ifconfig(8): Some interfaces belong to specific groups by default: - All interfaces are members of the all interface group. - Cloned interfaces are members of their interfa= ce family group. For example, a PPP interface su= ch as ppp0 is a member of the ppp interface family group. - pppx(4) interfaces are members of the pppx interface group. - The interface(s) the default route(s) point to are members of the egress interface group. - IEEE 802.11 wireless interfaces are members of the wlan interface group. - Any interfaces used for network booting are members of the netboot interface group. As I learned the hard way, the following rule will not work without additio= nal configuration: pass in quick on egress inet proto tcp from any to (egress) port 80 If I manually add the egress keyword to an interface it appears to work, but doesn't show up in ifconfig output. You have to explicitly request group members which is confusing. vm# ifconfig vtnet0 group egress vm# ifconfig vtnet0 vtnet0: flags=3D8843 metric 0 mtu 1= 500 =20=20=20=20=20=20=20 options=3D6c03bb ether 52:54:00:4e:65:cf inet 108.61.119.181 netmask 0xffffff00 broadcast 108.61.119.255 inet6 fe80::5054:ff:fe4e:65cf%vtnet0 prefixlen 64 scopeid 0x1 inet6 2001:19f0:5c00:8014::64 prefixlen 64 nd6 options=3D23 media: Ethernet 10Gbase-T status: active vm# ifconfig -g egress vtnet0 vs OpenBSD's ifconfig output which clearly states the groups (except "all"): $ ifconfig re0 re0: flags=3D28843 mtu 1500 lladdr 00:0d:b9:34:19:5c description: charter priority: 0 groups: egress media: Ethernet autoselect (1000baseT full-duplex,master,rxpause,txpause) status: active inet 68.117.126.78 netmask 0xfffffffc broadcast 68.117.126.79 The keywords do work once you manually add them to interfaces, but specific= ally the concept of the "egress" and "ingress" keywords are defeated without them being dynamically added to interfaces. It would be nice if we could improve= the ifconfig output and also dynamically add interfaces to some sane default groups. --=20 You are receiving this mail because: You are the assignee for the bug.=