PF + if_bridge + rdr: rdr to bridge?

Erik Osterholm freebsd-lists-erik at erikosterholm.org
Thu Feb 8 19:32:41 UTC 2007 

Hi all,

I have a network set up as such: 

             192.168.12.14
      -----    em1-----em0    -----
      | A |-------| B |-------| C |
      -----       -----       -----
 192.168.12.13           192.168.12.15

B is bridging with if_bridge.
C hosts a webserver.
A is the client.

I'm trying to selectively redirect connections from A -> C to instead
talk to a service listening on B's bridge0.  Nothing I try seems to
work, though I could have sworn that I'd gotten this working before.
Currently, connections simply hang when the rdr rule is in effect.
They pass through fine if I remove the rule or disable pf.

pf.conf:
--------
ext_if="em0"
int_if="em1"
bridge_if="bridge0"
local_addr="(bridge0)"

rdr pass on $int_if proto tcp from any to any port 80 -> $local_addr
port 80

pass in all
pass out all


output of ifconfig:
-------------------
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
	options=8<VLAN_MTU>
	ether 00:30:48:43:7d:f8
	media: Ethernet autoselect (1000baseTX <full-duplex>)
	status: active
em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
	options=8<VLAN_MTU>
	ether 00:30:48:43:7d:f9
	media: Ethernet autoselect (1000baseTX <full-duplex>)
	status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 
	inet6 ::1 prefixlen 128 
	inet 127.0.0.1 netmask 0xff000000 
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	inet 192.168.12.14 netmask 0xffffff00 broadcast 192.168.12.255
	ether ce:ea:e5:cd:48:bb
	priority 32768 hellotime 2 fwddelay 15 maxage 20
	member: em1 flags=3<LEARNING,DISCOVER>
	member: em0 flags=3<LEARNING,DISCOVER>


rc.conf:
--------
usbd_enable="YES"
sendmail="NONE"

cloned_interfaces="bridge0"
ifconfig_bridge0="inet 192.168.12.14 addm em0 addm em1 up"

ifconfig_em0="up"
ifconfig_em1="up"

pf_enable="YES"



And I'll attach my dmesg.

Does anyone have any ideas or suggestions?  

Thanks,
Erik
-------------- next part --------------
Copyright (c) 1992-2007 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
	The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 6.2-RELEASE #0: Fri Jan 12 10:40:27 UTC 2007
    root at dessler.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC
ACPI APIC Table: <IntelR AWRDACPI>
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel(R) Celeron(R) CPU 2.00GHz (2000.35-MHz 686-class CPU)
  Origin = "GenuineIntel"  Id = 0xf29  Stepping = 9
  Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
  Features2=0x4400<CNTX-ID,<b14>>
real memory  = 528416768 (503 MB)
avail memory = 507670528 (484 MB)
ioapic0 <Version 2.0> irqs 0-23 on motherboard
kbd1 at kbdmux0
ath_hal: 0.9.17.2 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413)
acpi0: <IntelR AWRDACPI> on motherboard
acpi0: Power Button (fixed)
Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000
acpi_timer0: <24-bit timer at 3.579545MHz> port 0x408-0x40b on acpi0
cpu0: <ACPI CPU> on acpi0
acpi_button0: <Power Button> on acpi0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
pci0: <ACPI PCI bus> on pcib0
agp0: <Intel 82845G (845G GMCH) SVGA controller> mem 0xe0000000-0xe7ffffff,0xec100000-0xec17ffff irq 16 at device 2.0 on pci0
agp0: detected 8060k stolen memory
agp0: aperture size is 128M
uhci0: <Intel 82801DB (ICH4) USB controller USB-A> port 0xb800-0xb81f irq 16 at device 29.0 on pci0
uhci0: [GIANT-LOCKED]
usb0: <Intel 82801DB (ICH4) USB controller USB-A> on uhci0
usb0: USB revision 1.0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1: <Intel 82801DB (ICH4) USB controller USB-B> port 0xb000-0xb01f irq 19 at device 29.1 on pci0
uhci1: [GIANT-LOCKED]
usb1: <Intel 82801DB (ICH4) USB controller USB-B> on uhci1
usb1: USB revision 1.0
uhub1: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2: <Intel 82801DB (ICH4) USB controller USB-C> port 0xb400-0xb41f irq 18 at device 29.2 on pci0
uhci2: [GIANT-LOCKED]
usb2: <Intel 82801DB (ICH4) USB controller USB-C> on uhci2
usb2: USB revision 1.0
uhub2: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
ehci0: <Intel 82801DB/L/M (ICH4) USB 2.0 controller> mem 0xec180000-0xec1803ff irq 23 at device 29.7 on pci0
ehci0: [GIANT-LOCKED]
usb3: EHCI version 1.0
usb3: companion controllers, 2 ports each: usb0 usb1 usb2
usb3: <Intel 82801DB/L/M (ICH4) USB 2.0 controller> on ehci0
usb3: USB revision 2.0
uhub3: Intel EHCI root hub, class 9/0, rev 2.00/1.00, addr 1
uhub3: 6 ports with 6 removable, self powered
pcib1: <ACPI PCI-PCI bridge> at device 30.0 on pci0
pci1: <ACPI PCI bus> on pcib1
em0: <Intel(R) PRO/1000 Network Connection Version - 6.2.9> port 0xa000-0xa03f mem 0xec000000-0xec01ffff irq 22 at device 5.0 on pci1
em0: Ethernet address: 00:30:48:43:7d:f8
em1: <Intel(R) PRO/1000 Network Connection Version - 6.2.9> port 0xa400-0xa43f mem 0xec020000-0xec03ffff irq 23 at device 6.0 on pci1
em1: Ethernet address: 00:30:48:43:7d:f9
isab0: <PCI-ISA bridge> at device 31.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <Intel ICH4 UDMA100 controller> port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xcc00-0xcc0f mem 0xec181000-0xec1813ff at device 31.1 on pci0
ata0: <ATA channel 0> on atapci0
ata1: <ATA channel 1> on atapci0
pci0: <serial bus, SMBus> at device 31.3 (no driver attached)
acpi_tz0: <Thermal Zone> on acpi0
fdc0: <floppy drive controller> port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on acpi0
fdc0: [FAST]
fd0: <1440-KB 3.5" drive> on fdc0 drive 0
sio0: <16550A-compatible COM port> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0
sio0: type 16550A
sio1: <16550A-compatible COM port> port 0x2f8-0x2ff irq 3 on acpi0
sio1: type 16550A
ppc0: <ECP parallel printer port> port 0x378-0x37f,0x778-0x77b irq 7 drq 3 on acpi0
ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode
ppc0: FIFO with 16/16/9 bytes threshold
ppbus0: <Parallel port bus> on ppc0
plip0: <PLIP network interface> on ppbus0
lpt0: <Printer> on ppbus0
lpt0: Interrupt-driven port
ppi0: <Parallel I/O> on ppbus0
atkbdc0: <Keyboard controller (i8042)> port 0x60,0x64 irq 1 on acpi0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
pmtimer0 on isa0
orm0: <ISA Option ROMs> at iomem 0xcc000-0xcd7ff,0xce000-0xcf7ff on isa0
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
Timecounter "TSC" frequency 2000345264 Hz quality 800
Timecounters tick every 1.000 msec
ad0: 38166MB <WDC WD400JB-00JJC0 05.01C05> at ata0-master UDMA100
acd0: CDROM <CD-224E/1.9A> at ata1-master UDMA33
Trying to mount root from ufs:/dev/ad0s1a
bridge0: Ethernet address: ea:cb:bc:08:90:86
em0: link state changed to UP
em1: link state changed to UP
em0: link state changed to DOWN
em1: link state changed to DOWN
em1: link state changed to UP
em0: link state changed to UP
em1: promiscuous mode disabled
em0: promiscuous mode disabled
em1: link state changed to DOWN
em0: link state changed to DOWN
bridge0: Ethernet address: ce:ea:e5:cd:48:bb
em0: promiscuous mode enabled
em1: promiscuous mode enabled
em0: link state changed to UP
em1: link state changed to UP

More information about the freebsd-questions mailing list