kern/94694: pf don't follow IP changes on IF-defined rules
Gergely CZUCZY
phoemix at harmless.hu
Sun Mar 19 16:00:48 UTC 2006
>Number: 94694
>Category: kern
>Synopsis: pf don't follow IP changes on IF-defined rules
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Mar 19 16:00:45 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Gergely CZUCZY
>Release: FreeBSD 6.0-STABLE i386
>Organization:
none
>Environment:
FreeBSD beeblebrox.harmless.lan 6.0-STABLE FreeBSD 6.0-STABLE #1: Wed Feb 1 22:18:02 CET 2006 root at beeblebrox.harmless.lan:/usr/obj/usr/src/sys/BEEBLEBROX i386
>Description:
If you have a rule in you're pf configuration where you specify the interface's
name, and the IP address of the IF is changed by the time(think of dynamic-IP DSLs)
the resolved IP address of the interface in the ruleset is not updated.
in my case, the rule is as follows:
--- chop with axe here ---
if_ppp="tun0"
nat on $if_ppp from <natnets> to !10.0.0.0/8 -> $if_ppp
--- chop with axe here ---
on config file loading it's resolved to:
--- chop with axe here ---
nat on tun0 inet from <natnets> to ! 10.0.0.0/8 -> 213.178.112.51
--- chop with axe here ---
the IP address of the interface is resolved. when my PPP connection
is terminated by my ISP, and it reconnects, it may get a different
IP address. in these cases the already loaded ruleset will not follow
the change in the interface's address
>How-To-Repeat:
1) apply a rule to pf, where you specify the ip address by the
name of the interface
2) change the IP address of that IF
3) the IP address in the loaded ruleset will remain the same
>Fix:
i don't have a fix. i reload the ruleset by hand on these
times, but this is not a solution.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list