PF: Use device or address from default route in a rule? - BSD

This is a discussion on PF: Use device or address from default route in a rule? - BSD ; Dumb question about PF: How can I use the target device and IP address of a route in a rule? Details: I run an OpenBSD machine as a router / firewall / NAT server. It routes from the internal network ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: PF: Use device or address from default route in a rule?

  1. PF: Use device or address from default route in a rule?

    Dumb question about PF: How can I use the target device and IP address
    of a route in a rule?

    Details: I run an OpenBSD machine as a router / firewall / NAT server.
    It routes from the internal network (let's assume 192.168.0.0/24).
    The external network is usually a high-speed link, accessible via
    Ethernet (say tl0 for consistency with the PF FAQ). This gives rise to
    the following NAT rule:
    nat on tl0 from 192.168.0.0/24 to any -> (tl0)

    The problem I'm trying to solve is the following: Occasionally, the
    high-speed link fails, and I have to switch to using ppp over a modem.
    And every time I switch between the high-speed link and ppp, I have to
    replace the PF rules to modify NAT, for example to:
    nat on tun0 from 192.168.0.0/24 to any -> (tun0)

    Side remark: In reality the above rule is expressed through
    variables, and actually looks like this:
    nat on $ext_if from $int_if:network to any -> ($ext_if)
    Observe the parentheses around the last $ext_if: This rule
    automatically tracks any changes in the IP address of the external
    network.

    Right now, the change in NAT rules is done by having to versions of
    the /etc/pf.conf file, which are generated from common source code by
    a script. Then the PF configuration is automatically changed by
    executing commands such as "pfctl -f /etc/pf_{ppp,ether}.conf" in the
    /etc/ppp/ppp.link{up,down} scripts. This happens to work, but is a
    bit complex, and error prone when other administrators work on the
    system, and find this non-standard configuration.

    But there is a much easier indicator of what link should be used for
    NAT, namely the default route. The ppp subsystem already changes the
    default route correctly, and restores it when ppp comes down.

    The PF system already knows how to track changing IP addresses of
    network devices. Wouldn't it be nice if it also could track routes,
    and either the target IP address of the route, or which devices the
    routes go to? Imagine I could use the syntax "addr:route" and
    "addr:r_dev" in pf.conf to determine the target IP address and the
    target device a particular route goes over, then I would love to
    rewrite the above rule as:
    nat on (0/0:r_dev) from $int_if:network to any -> (0/0:route)
    where the parentheses again indicate that the device and address are
    to be re-evaluated at rule execution time, not rule load time, so the
    configuration automatically tracks.

    As far as I can see, this can not be accomplished with today's PF, or
    did I miss something? In filtering rules there is the option to use
    "route

  2. Re: PF: Use device or address from default route in a rule?

    usenet@lr.los-gatos.ca.us writes:

    > The problem I'm trying to solve is the following: Occasionally, the
    > high-speed link fails, and I have to switch to using ppp over a modem.


    have you looked into configuring a trunk interface? (man 4 trunk)

    --
    Peter N. M. Hansteen, member of the first RFC 1149 implementation team
    http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
    "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
    20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds

  3. Re: PF: Use device or address from default route in a rule?

    usenet@lr.los-gatos.ca.us wrote:
    > Dumb question about PF: How can I use the target device and IP address
    > of a route in a rule?


    This is, to the best of my knowledge, not currently possible.

    Joachim

  4. Re: PF: Use device or address from default route in a rule?


    usenet@lr.los-gatos.ca.us wrote:
    > Dumb question about PF: How can I use the target device and IP address
    > of a route in a rule?
    >
    > Details: I run an OpenBSD machine as a router / firewall / NAT server.
    > It routes from the internal network (let's assume 192.168.0.0/24).
    > The external network is usually a high-speed link, accessible via
    > Ethernet (say tl0 for consistency with the PF FAQ). This gives rise to
    > the following NAT rule:
    > nat on tl0 from 192.168.0.0/24 to any -> (tl0)
    >
    > The problem I'm trying to solve is the following: Occasionally, the
    > high-speed link fails, and I have to switch to using ppp over a modem.
    > And every time I switch between the high-speed link and ppp, I have to
    > replace the PF rules to modify NAT, for example to:
    > nat on tun0 from 192.168.0.0/24 to any -> (tun0)
    >
    > Side remark: In reality the above rule is expressed through
    > variables, and actually looks like this:
    > nat on $ext_if from $int_if:network to any -> ($ext_if)
    > Observe the parentheses around the last $ext_if: This rule
    > automatically tracks any changes in the IP address of the external
    > network.
    >
    > Right now, the change in NAT rules is done by having to versions of
    > the /etc/pf.conf file, which are generated from common source code by
    > a script. Then the PF configuration is automatically changed by
    > executing commands such as "pfctl -f /etc/pf_{ppp,ether}.conf" in the
    > /etc/ppp/ppp.link{up,down} scripts. This happens to work, but is a
    > bit complex, and error prone when other administrators work on the
    > system, and find this non-standard configuration.
    >
    > But there is a much easier indicator of what link should be used for
    > NAT, namely the default route. The ppp subsystem already changes the
    > default route correctly, and restores it when ppp comes down.
    >
    > The PF system already knows how to track changing IP addresses of
    > network devices. Wouldn't it be nice if it also could track routes,
    > and either the target IP address of the route, or which devices the
    > routes go to? Imagine I could use the syntax "addr:route" and
    > "addr:r_dev" in pf.conf to determine the target IP address and the
    > target device a particular route goes over, then I would love to
    > rewrite the above rule as:
    > nat on (0/0:r_dev) from $int_if:network to any -> (0/0:route)
    > where the parentheses again indicate that the device and address are
    > to be re-evaluated at rule execution time, not rule load time, so the
    > configuration automatically tracks.
    >
    > As far as I can see, this can not be accomplished with today's PF, or
    > did I miss something? In filtering rules there is the option to use
    > "route


    This You can simply do by applyiing the rules to the egress interface
    group. In this group are the interfaces pointing to the default route.
    See man ifconfig -> interface groups


+ Reply to Thread