[Bug 194925] New: [pf] [ifconfig] interface group keywords do not work by default
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Mon Nov 10 13:36:16 UTC 2014
Bug ID: 194925
Summary: [pf] [ifconfig] interface group keywords do not work
Product: Base System
Status: Needs Triage
Severity: Affects Many People
Assignee: freebsd-bugs at FreeBSD.org
Reporter: feld at FreeBSD.org
pf offers the ability to use interface groups to build dynamic rules or to
simplify your ruleset. It also makes them more portable to other servers which
might have different interface names, etc. While testing my firewall with
FreeBSD instead of OpenBSD I was having a lot of trouble with my rules until I
identified that the group keywords were not working.
>From FreeBSD's pf.conf(5):
This rule applies only to packets coming in on, or going out
through, this particular interface or interface group. For more
information on interface groups, see the group keyword in
ifconfig(8). any will match any existing interface except
So our ifconfig needs to support groups, which it appears to do according to
Assign the interface to a “group”. Any interface can be in mul‐
Cloned interfaces are members of their interface family group by
default. For example, a PPP interface such as ppp0 is a member
of the PPP interface family group, ppp.
The problem appears to be that we do not have interfaces in groups by default.
OpenBSD has the following in their ifconfig(8):
Some interfaces belong to specific groups by default:
- All interfaces are members of the all interface
- Cloned interfaces are members of their interface
family group. For example, a PPP interface such
as ppp0 is a member of the ppp interface family
- pppx(4) interfaces are members of the pppx
- The interface(s) the default route(s) point to
are members of the egress interface group.
- IEEE 802.11 wireless interfaces are members of
the wlan interface group.
- Any interfaces used for network booting are
members of the netboot interface group.
As I learned the hard way, the following rule will not work without additional
pass in quick on egress inet proto tcp from any to (egress) port 80
If I manually add the egress keyword to an interface it appears to work, but
doesn't show up in ifconfig output. You have to explicitly request group
members which is confusing.
vm# ifconfig vtnet0 group egress
vm# ifconfig vtnet0
vtnet0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
inet 22.214.171.124 netmask 0xffffff00 broadcast 126.96.36.199
inet6 fe80::5054:ff:fe4e:65cf%vtnet0 prefixlen 64 scopeid 0x1
inet6 2001:19f0:5c00:8014::64 prefixlen 64
media: Ethernet 10Gbase-T <full-duplex>
vm# ifconfig -g egress
vs OpenBSD's ifconfig output which clearly states the groups (except "all"):
$ ifconfig re0
re0: flags=28843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6> mtu 1500
media: Ethernet autoselect (1000baseT
inet 188.8.131.52 netmask 0xfffffffc broadcast 184.108.40.206
The keywords do work once you manually add them to interfaces, but specifically
the concept of the "egress" and "ingress" keywords are defeated without them
being dynamically added to interfaces. It would be nice if we could improve the
ifconfig output and also dynamically add interfaces to some sane default
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs