[Bug 194925] New: [pf] [ifconfig] interface group keywords do not work by default
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Mon Nov 10 13:36:16 UTC 2014
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=194925
Bug ID: 194925
Summary: [pf] [ifconfig] interface group keywords do not work
by default
Product: Base System
Version: 10.0-RELEASE
Hardware: Any
OS: Any
Status: Needs Triage
Severity: Affects Many People
Priority: ---
Component: kern
Assignee: freebsd-bugs at FreeBSD.org
Reporter: feld at FreeBSD.org
pf offers the ability to use interface groups to build dynamic rules or to
simplify your ruleset. It also makes them more portable to other servers which
might have different interface names, etc. While testing my firewall with
FreeBSD instead of OpenBSD I was having a lot of trouble with my rules until I
identified that the group keywords were not working.
>From FreeBSD's pf.conf(5):
on <interface>
This rule applies only to packets coming in on, or going out
through, this particular interface or interface group. For more
information on interface groups, see the group keyword in
ifconfig(8). any will match any existing interface except
loopback ones.
So our ifconfig needs to support groups, which it appears to do according to
our ifconfig(8):
group group-name
Assign the interface to a “group”. Any interface can be in mul‐
tiple groups.
Cloned interfaces are members of their interface family group by
default. For example, a PPP interface such as ppp0 is a member
of the PPP interface family group, ppp.
The problem appears to be that we do not have interfaces in groups by default.
OpenBSD has the following in their ifconfig(8):
Some interfaces belong to specific groups by default:
- All interfaces are members of the all interface
group.
- Cloned interfaces are members of their interface
family group. For example, a PPP interface such
as ppp0 is a member of the ppp interface family
group.
- pppx(4) interfaces are members of the pppx
interface group.
- The interface(s) the default route(s) point to
are members of the egress interface group.
- IEEE 802.11 wireless interfaces are members of
the wlan interface group.
- Any interfaces used for network booting are
members of the netboot interface group.
As I learned the hard way, the following rule will not work without additional
configuration:
pass in quick on egress inet proto tcp from any to (egress) port 80
If I manually add the egress keyword to an interface it appears to work, but
doesn't show up in ifconfig output. You have to explicitly request group
members which is confusing.
vm# ifconfig vtnet0 group egress
vm# ifconfig vtnet0
vtnet0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=6c03bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
ether 52:54:00:4e:65:cf
inet 108.61.119.181 netmask 0xffffff00 broadcast 108.61.119.255
inet6 fe80::5054:ff:fe4e:65cf%vtnet0 prefixlen 64 scopeid 0x1
inet6 2001:19f0:5c00:8014::64 prefixlen 64
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
media: Ethernet 10Gbase-T <full-duplex>
status: active
vm# ifconfig -g egress
vtnet0
vs OpenBSD's ifconfig output which clearly states the groups (except "all"):
$ ifconfig re0
re0: flags=28843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6> mtu 1500
lladdr 00:0d:b9:34:19:5c
description: charter
priority: 0
groups: egress
media: Ethernet autoselect (1000baseT
full-duplex,master,rxpause,txpause)
status: active
inet 68.117.126.78 netmask 0xfffffffc broadcast 68.117.126.79
The keywords do work once you manually add them to interfaces, but specifically
the concept of the "egress" and "ingress" keywords are defeated without them
being dynamically added to interfaces. It would be nice if we could improve the
ifconfig output and also dynamically add interfaces to some sane default
groups.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list