Rule doubt

[Daniel Hartmeier]

On Thu, Sep 27, 2007 at 01:24:45PM -0300, David Verzolla wrote:

> Its possible creates a rule that can match all the traffic designated to an specific interface?
> 
> Example:
> 
> pass in on $vlan10 from <vlan10> to (the interface, not the address) $ext_if
> 
> The $ext_if:network doesn't works for me.

Not with the "to" keyword. That keyword always means "compare the
destination IP address of the packet with ...", it never means "compare
the interface the packet would be routed out to", even if the English
language might allow for both meanings.

At the point in time when pf filters an incoming packet, the routing
table has not been consulted yet, and it is not yet decided what the
outgoing interface will be[1].

Assuming what you want to express is "pass in on $vlan10 packets that
will get routed out on $ext_if (no matter what the destination IP
address of the packet is)", you can use the "tag"/"tagged" keywords for
that, i.e. pass in all packets on $vlan10 and tag them. Then filter so
tagged packets on all possible outgoing interfaces, and only allow them
on $ext_if.

With a known static routing table, this is usually not necessary, as the
destination IP address will determine the outgoing interface, and
restricting based on the IP address with "to" will suffice.

Daniel

[1] In OpenBSD, there are "route labels". You can assign labels to routing
    table entries. Then filter incoming packets based on the label of
    the matching routing table entry (forcing an early lookup), like in

      pass in on $vlan10 to route <label>

    This is not yet available in FreeBSD, IIRC.