Something in the documentation regarding VM network iterface groups is
unclear to me.
I have created a switch and VM in /etc/vm.conf:
switch "private" {
interface bridge0
group private
}
vm "test" {
memory 2G
disable
disk /srv/vm/test.img
interface { switch "private" }
}
Which correctly creates a tap device with the group when started:
tap0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr fe:e1:ba:d9:26:d5
description: vm4-if0-test
index 15 priority 0 llprio 3
groups: tap private
status: active
The bridge is configured as:
/etc/hostname.bridge0:add vether0
/etc/hostname.vether0:inet 192.168.42.1 255.255.255.0
So far all well and good but attempting to craft pf rules to filter 'on
private' apparently has no effect.
This if my /etc/pf.conf (comments sanitised):
set skip on lo
block
match in all scrub (no-df random-id max-mss 1440)
antispoof quick for { egress wlan }
match log on private proto tcp
# NAT everything else
match out on egress inet from !(egress:network) to !self nat-to (egress)
# Permit inbound ssh
pass in quick proto tcp from any to self port ssh
# Open everything during testing
pass quick
Specifically, the match log line doesn't record anything (verified with
tcpdump -i pflog0) with 'on private' but does with 'on vether'. So how
can I filter based on the interface group to which a VM or switch is
assigned as vm.conf(5) claims I can (in VM CONFIGURATION/interface/group)?
Have I made a mistake in my configuration somewhere, misunderstood the
documentation and how to use interface groups, or is this a bug? I am
using a freshly-installed 6.4 on amd64.
Thanks,
Matthew
