Re: pfctl loses group members when using multiple groups in a list

Sat, 29 Jul 2006 23:31:25 -0700 

On Fri, Jul 28, 2006 at 12:49:32PM -0700, andrew fresh wrote:
> 
> Is this something I am doing wrong, or is it a bug I should file?  
> 
> The problem I am seeing is that there are 2 interfaces in the "wild"
> group.  If you look at the output below, you will see that in the first
> conf file the 192.168.206.0 address is in the output, but in the second
> one, the adddress is not there.

  this seems like duplicating it.  the last 'group' gets all its IPs,
  the earlier groups only get the first (?) iface:

$ sudo ifconfig lo10 create
$ sudo ifconfig lo11 create
$ sudo ifconfig lo12 create
$ sudo ifconfig lo13 create
$ sudo ifconfig lo10 inet 192.168.10.1 netmask 0xffffff00 group even
$ sudo ifconfig lo12 inet 192.168.12.1 netmask 0xffffff00 group even
$ sudo ifconfig lo11 inet 192.168.11.1 netmask 0xffffff00 group odd
$ sudo ifconfig lo13 inet 192.168.13.1 netmask 0xffffff00 group odd
$ ifconfig even
lo10: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
        groups: lo even
        inet 192.168.10.1 netmask 0xffffff00
lo12: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
        groups: lo even
        inet 192.168.12.1 netmask 0xffffff00
$ ifconfig odd
lo11: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
        groups: lo odd
        inet 192.168.11.1 netmask 0xffffff00
lo13: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
        groups: lo odd
        inet 192.168.13.1 netmask 0xffffff00
$ echo "pass inet to { even odd }" | pfctl -nvf-
pass inet from any to 192.168.10.1
pass inet from any to 192.168.11.1
pass inet from any to 192.168.13.1
$ echo "pass inet to { odd even }" | pfctl -nvf-
pass inet from any to 192.168.11.1
pass inet from any to 192.168.10.1
pass inet from any to 192.168.12.1
$ echo "pass inet to { odd:network even:network }" | pfctl -nvf-
pass inet from any to 192.168.11.0/24
pass inet from any to 192.168.10.0/24
pass inet from any to 192.168.12.0/24
$ echo "pass inet to { even:network odd:network }" | pfctl -nvf-        
pass inet from any to 192.168.10.0/24
pass inet from any to 192.168.11.0/24
pass inet from any to 192.168.13.0/24
$ sudo ifconfig lo20 create
$ sudo ifconfig lo21 create
$ sudo ifconfig lo20 inet 192.100.20.1 netmask 0xffffff00 group tapioca
$ sudo ifconfig lo21 inet 192.100.19.1 netmask 0xffffff00 group tapioca
$ echo "pass inet to { even:network tapioca even:network }" | pfctl -nvf-
pass inet from any to 192.168.10.0/24
pass inet from any to 192.100.20.1
pass inet from any to 192.168.10.0/24
pass inet from any to 192.168.12.0/24
$ echo "pass inet to { even:network tapioca odd:network }" | pfctl -nvf- 
pass inet from any to 192.168.10.0/24
pass inet from any to 192.100.20.1
pass inet from any to 192.168.11.0/24
pass inet from any to 192.168.13.0/24
$ ifconfig tapioca
lo20: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
        groups: lo tapioca
        inet 192.100.20.1 netmask 0xffffff00
lo21: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
        groups: lo tapioca
        inet 192.100.19.1 netmask 0xffffff00

OpenBSD 4.0-beta (GENERIC) #1026: Wed Jul 26 20:35:18 MDT 2006
    [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC

  maybe in the meantime it would work if you put the iface in 
  parens?  it's a guess, but perhaps then it would be up to pf
  to act how you imagine it ought to, instead of pfctl.

--

  jared

Reply via email to