pf filtering on trunk(4) to bridge(4) issues

Alexander Hall Wed, 26 Apr 2006 13:44:45 -0700

Hi all.

I've been trying to set up an trunk as an invisible failover connectionover ethernet/wireless to my gw (with its interfaces bridged), but Iwant to force the use of ipsec for any packet sent over the wirelessinterface.

However, filtering on a child interface of a trunk does not seem towork. Am I correct? Is there a (nice) way to solve this issue?

The corresponding ipsec-requiring filtering on the gw also seems tofail, since it happily accepts unencrypted traffic from the AP interface(sis1). In this case, though, I might have messed something up in the pfconfiguration, but if anyone know any bridge filtering caveats (possiblyincluding a third, non-bridged interface), please let me know.


Laptop and gateway configurations below.

$ Alexander


### Laptop ###

$ cat /etc/hostname.xl0
up

$ sudo cat /etc/hostname.ral0
nwid <secret> nwkey <secret> media autoselect
up

$ cat /etc/hostname.trunk0

-trunkport xl0
-trunkport ral0
! /sbin/ifconfig xl0 up
! /sbin/ifconfig ral0 up
trunkproto failover
trunkport xl0
trunkport ral0
dhcp NONE NONE NONE

$ grep -C4 trunk0 /etc/hotplug/attach
                ral0)
                        log "Initializing $DEVNAME"
                        sh /etc/netstart "$DEVNAME"

                        log "Initializing trunk0"
                        sh /etc/netstart trunk0

                        #log "Starting isakmpd"
                        #/sbin/isakmpd
                        ;;

$ sudo cat /etc/pf.conf | grep '^[^#]'
wlan_if="ral0"
block return on $wlan_if
pass in  on $wlan_if proto esp to   ($wlan_if) keep state
pass out on $wlan_if proto esp from ($wlan_if) keep state
pass in  on $wlan_if proto udp to   ($wlan_if) port isakmp keep state
pass out on $wlan_if proto udp from ($wlan_if) port isakmp keep state
pass in  on $wlan_if proto tcp to   ($wlan_if) port ssh keep state
pass out on $wlan_if proto tcp from ($wlan_if) port ssh keep state

$ dmesg # With some noice in the end, adding and removing stuff
OpenBSD 3.9-current (GENERIC) #711: Sun Apr 23 18:57:08 MDT 2006
    [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC

cpu0: Intel(R) Pentium(R) III Mobile CPU 866MHz ("GenuineIntel"686-class) 864 MHzcpu0:FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE

real mem  = 670474240 (654760K)
avail mem = 604033024 (589876K)
using 4278 buffers containing 33628160 bytes (32840K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 05/16/03, BIOS32 rev. 0 @ 0xffe90
apm0 at bios0: Power Management spec V1.2
apm0: battery life expectancy 100%
apm0: AC on, battery charge high, charging, estimated 3:54 hours
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf0000/0x10000
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfbb90/208 (11 entries)

pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371 ISA and IDE"rev 0x00)

pcibios0: PCI bus #4 is the last bus
bios0: ROM list: 0xc0000/0x10000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82830MP CPU-I/O-1" rev 0x02
ppb0 at pci0 dev 1 function 0 "Intel 82830MP CPU-AGP" rev 0x02
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "ATI Radeon Mobility M6 LY" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
uhci0 at pci0 dev 29 function 0 "Intel 82801CA/CAM USB" rev 0x01: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
ppb1 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0x41
pci2 at ppb1 bus 2

xl0 at pci2 dev 0 function 0 "3Com 3c905C 100Base-TX" rev 0x78: irq 11,address 00:06:5b:36:f8:e1

exphy0 at xl0 phy 24: 3Com internal media interface

cbb0 at pci2 dev 1 function 0 "Texas Instruments PCI1420 CardBus" rev0x00: irq 11cbb1 at pci2 dev 1 function 1 "Texas Instruments PCI1420 CardBus" rev0x00: irq 11

cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 3 device 0 cacheline 0x8, lattimer 0x20
pcmcia0 at cardslot0
cardslot1 at cbb1 slot 1 flags 0
cardbus1 at cardslot1: bus 4 device 0 cacheline 0x8, lattimer 0x20
pcmcia1 at cardslot1
ichpcib0 at pci0 dev 31 function 0 "Intel 82801CAM LPC" rev 0x01: SpeedStep

pciide0 at pci0 dev 31 function 1 "Intel 82801CAM IDE" rev 0x01: DMA,channel 0 configured to compatibility, channel 1 configured to compatibility

wd0 at pciide0 channel 0 drive 0: <HITACHI_DK23CA-30>
wd0: 16-sector PIO, LBA, 28615MB, 58605120 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
pciide0: channel 1 ignored (disabled)

auich0 at pci0 dev 31 function 5 "Intel 82801CA/CAM AC97" rev 0x01: irq11, ICH3 AC97

ac97: codec id 0x4352595b (Cirrus Logic CS4205 rev 3)

ac97: codec features mic channel, tone, simulated stereo, bass boost, 20bit DAC, 18 bit ADC, SRS 3D

audio0 at auich0
"Intel 82801CA/CAM Modem" rev 0x01 at pci0 dev 31 function 6 not configured
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
biomask ef65 netmask ef65 ttymask ffe7
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
uhidev0 at uhub0 port 1 configuration 1 interface 0
uhidev0: A4Tech USB Optical Mouse, rev 1.10/0.01, addr 2, iclass 3/1
ums0 at uhidev0: 7 buttons and Z dir.
wsmouse1 at ums0 mux 0
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
WARNING: / was not properly unmounted