Re: pf multiple match rules
Thank you for reply. I have been trying some trial and error tests, and I came to similar conclusion, but I would like to understand the design idea behind match rule. Who wins, the first or the last matching rule? Or do they all stick together? What if they are conflicting, like in this case? Thank you in advance, -- Marko Cupać
Re: pf multiple match rules
On 05/07/2014 12:17 PM, Marko Cupać wrote: Thank you for reply. I have been trying some trial and error tests, and I came to similar conclusion, but I would like to understand the design idea behind match rule. Who wins, the first or the last matching rule? Or do they all stick together? What if they are conflicting, like in this case? Thank you in advance, As Henning Brauer said, the rewrite are applied immediately. So the first match rule will rewrite IP from the packet and the second match will be evaluated on the new IP rewritten. There is no win, the packet is passed thru all match rules and the action is applied directly if it match, from first to last.
Re: pf multiple match rules
On Wed, 07 May 2014 12:23:12 +0200 Blaise Hizded bla...@ovh.fr wrote: As Henning Brauer said, the rewrite are applied immediately. So the first match rule will rewrite IP from the packet and the second match will be evaluated on the new IP rewritten. There is no win, the packet is passed thru all match rules and the action is applied directly if it match, from first to last. Oh, I understand now, thank you for your explanation. Second match rule would not trigger simply because source address of every request from 192.168.1.0/24 is already rewritten with the first match rule, so packet coming from 192.168.1.55 is actualy already counted as coming from translated public address X.X.X.X. -- Marko Cupać
Re: pf multiple match rules
On 05/07/2014 12:41 PM, Marko Cupać wrote: On Wed, 07 May 2014 12:23:12 +0200 Blaise Hizded bla...@ovh.fr wrote: As Henning Brauer said, the rewrite are applied immediately. So the first match rule will rewrite IP from the packet and the second match will be evaluated on the new IP rewritten. There is no win, the packet is passed thru all match rules and the action is applied directly if it match, from first to last. Oh, I understand now, thank you for your explanation. Second match rule would not trigger simply because source address of every request from 192.168.1.0/24 is already rewritten with the first match rule, so packet coming from 192.168.1.55 is actualy already counted as coming from translated public address X.X.X.X. Yes exactly, except if X.X.X.X is 192.168.1.55, then the second match rule will rewrite it to Y.Y.Y.Y. But it's the only case where your second rule can match.
pf multiple match rules
Hi, with the following two match lines: match out on $ext_if from 192.168.1.0/24 to any nat-to X.X.X.X match out on $ext_if from 192.168.1.55 to any nat-to Y.Y.Y.Y and the following pass line: pass in on $int_if inet proto tcp from 192.168.1.55 to any will the packets be translated to X.X.X.X or Y.Y.Y.Y? Regards, -- Marko Cupać
Re: pf multiple match rules
On 05/06/2014 12:54 PM, Marko Cupać wrote: Hi, with the following two match lines: match out on $ext_if from 192.168.1.0/24 to any nat-to X.X.X.X match out on $ext_if from 192.168.1.55 to any nat-to Y.Y.Y.Y and the following pass line: pass in on $int_if inet proto tcp from 192.168.1.55 to any will the packets be translated to X.X.X.X or Y.Y.Y.Y? Regards, I think the first thing happening is to let pass the packet from 192.168.1.55 in the router, then the first match rule will be applied, translating the packet to X.X.X.X and the second will never match. A simple way to know is to add 2 rules: pass log out on $ext_if inet proto tcp from X.X.X.X pass log out on $ext_if inet proto tcp from Y.Y.Y.Y then tcpdump -i pflog0.
Re: pf multiple match rules
* Marko Cupać marko.cu...@mimar.rs [2014-05-06 12:55]: Hi, with the following two match lines: match out on $ext_if from 192.168.1.0/24 to any nat-to X.X.X.X match out on $ext_if from 192.168.1.55 to any nat-to Y.Y.Y.Y and the following pass line: pass in on $int_if inet proto tcp from 192.168.1.55 to any will the packets be translated to X.X.X.X or Y.Y.Y.Y? unable to say without knowing X.X.X.X. packets hitting the first rule will get their src rewritten to X.X.X.X. if X.X.X.X happens to be 192.168.1.55, these packets will match your second match rule, if X.X.X.X is anything else, they won't. If Y.Y.Y.Y happens to be 192.168.1.55, these packets will match the pass rule, otherwise they won't. I'm really saying here that rewrites are applied immediately (hurts a little to say that since I know the internals, but that's what the user visible side is). -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
