pf + ip alias + route-to interrogation

Constant, Benjamin bconstant at be.tiauto.com
Mon Nov 28 12:52:29 GMT 2005 

Hello list,

I've some questions regarding source routing with route-to option.

Here is what I try to setup:

I've two network interfaces on a box, one is dedicated to lan, the other one
is dedicated to wan.
On each of these interfaces, there are 1 IP + 1 IP alias in another subnet
(security aspect is not important here).

Here is the scheme:

10.1.1.0/24 -- 10.1.1.1                 192.168.1.2 -- gw1 [192.168.1.1]
                         [em0 FreeBSD em1] 
10.1.2.0/24 -- 10.1.2.1(alias)          192.168.2.2(alias) -- gw2
[192.168.2.1]

I'm not performing 'NATting' on this box. All the traffic coming from
10.1.1.0/24 is using the kernel routing table of the box and going to
gateway 192.168.1.1. I'm doing source routing for every packets coming from
10.1.2.0/24 and send them to 192.168.1.2.
It using working correctly with the following /etc/pf.conf:

$ext_if="em1"
$int_if="em0"

pass out quick on $ext_if route-to ($ext_if 192.168.2.1) from 10.1.2.0/24 to
any keep state pass in quick on $int_if route-to ($ext_if 192.168.2.1) from
10.1.2.0/24 to any keep state

# default rules in case of policy change in future update pass in all flags
S/SA keep state pass out all

I don't understand why I need to use keep state on each rule. If I remove
the keep state keyword, the first packet is using the route-to but the other
ones are using the kernel routing table. If I remove the quick keywork, it
doesn't work at all (it seems to fall in one of the last two rules depending
how the traffic hit the box). In an other mail I can read "unlike filter
rules, translation rules are first-match", what is the policy for route-to?
I think it should be the same as for a simple pass or block rule but am I
right?
Why do I have to use a "pass in on $int_if..." for all the traffic coming
from the lan? The traffic should hit the rule pass out when it crosses the
box.
I can't perform a ping -S lan_ip_alias ip_to_reach, why such traffic isn't
using the pass out source routing rule.
This box is running 5.4 stable and the following pf.c revision: $FreeBSD:
src/sys/contrib/pf/net/pf.c,v 1.18.2.10 2005/08/06 01:54:11 mlaier Exp which
seem to be the last commit for RELENG_5.

I'm a bit confused, can someone give me some more explanation? Thanks!

PS:

This message was also sent to pf official mailing-list to gather as much
information as possible.

Benjamin Constant
TI Automotive

The information contained in this transmission may contain privileged and
confidential information.  It is intended only for the use of the
person(s) named above. If you are not the intended recipient, you are
hereby notified that any review, dissemination, distribution or
duplication of this communication is strictly prohibited. If you are not
the intended recipient, please contact the sender by reply email and
destroy all copies of the original message. This communication is from TI
Automotive.

More information about the freebsd-pf mailing list