route-to rule
Dag-Erling Smørgrav
des at des.no
Thu Sep 8 13:05:51 UTC 2011
According to the pf.conf(5) man page in FreeBSD 8.2, the address part of
the route-to destination is optional:
route = ( "route-to" | "reply-to" | "dup-to" )
( routehost | "{" routehost-list "}" )
[ pooltype ]
routehost = "(" interface-name [ address [ "/" mask-bits ] ] ")"
routehost-list = routehost [ [ "," ] routehost-list ]
but pf complains of a syntax error if I leave it out, so
pass in on $lan2 route-to ($ext2) from ($lan2:network)
doesn't work, while
pass in on $lan2 route-to ($ext2 172.16.0.1) from ($lan2:network)
does.
I realize that pf can't *know* the correct next-hop address for the
specified interface, but it can make a reasonable guess (first non-zero
address in $ext2:network), so hard-coding would only be required in
cases where the "reasonable guess" is incorrect or $ext2 has multiple IP
addresses.
Also, there does not seem to be a way to complement a host-list:
hosts = "all" |
"from" ( "any" | "no-route" | "urpf-failed" | "self" | host |
"{" host-list "}" | "route" string ) [ port ] [ os ]
"to" ( "any" | "no-route" | "self" | host |
"{" host-list "}" | "route" string ) [ port ]
host = [ "!" ] ( address [ "/" mask-bits ] | "<" string ">" )
host-list = host [ [ "," ] host-list ]
so you can say
{ $lan1:network, $lan2:network }
but not
! { $lan1:network, $lan2:network }
As a result, a rule such as
pass in on $lan2 route-to ($ext2 172.16.0.1) from ($lan2:network) to !$lan2:network
means that traffic from $lan2:network to $lan1:network will be routed
through $ext2 instead of going directly to $lan1. I can add explicit
route-to rules to circumvent that, but I'd much rather use something
like this:
pass in on $lan2 route-to ($ext2 172.16.0.1) from ($lan2:network) to ! { $lan1:network, $lan2:network }
(I checked Reed's book and both edition of Hansteen's, but Reed makes no
sense, and Hansteen doesn't mention route-to at all)
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-pf
mailing list