Howdy List?
I'm trying to deal with the problem of dhcp assigned default routes
in a pf config file, and what I've come up with is a script to drive
dhclient on external interfaces and extract the routing info for use
in route-to (interface gateway) rules.
So then I have two ways of feeding this info to pf:
1. compose a new config file containing the new routes and feed it to pf,
in which case I use macros to define the gateways, e.g.
ext_gw1 = "1.2.4.5"
ext_gw2 = "5.6.7.8"
which gives me a rule like:
pass in on $int_if route-to { ($ext_if1 $ext_gw1) } proto tcp from $int_clients
to any flags S/SA modulate state
2. use a pf config that carries these routes as <table> entries:
table <ext_gw1> { 1.2.3.4 }
table <ext_gw2> { 5.6.7.8 }
which gives rules like:
pass in on $int_if route-to { ($ext_if1 <ext_gw1>) } proto tcp from
$int_clients to any flags S/SA modulate state
that can then be modified by
#get and delete the current table value
pfctl -t ext_gw1 -T show
pfctl -t ext_gw1 -T delete 1.2.3.4
#add the new value derived from dhclient
pfctl -t ext_gw1 -T add 4.3.2.1
So now to the question.. does the use of tables in the rulesets add a lot
of extra cpu load over the use of macros or do either of these approaches
have obvious advantages over the other?
Thanks,
Dhu
