Using pf route-to to Route Network Traffic a tun interface and Replying from it

Nick Andersen Tue, 30 May 2023 08:08:39 -0700

Hi Folks,

I am writing to seek assistance regarding an issue I am experiencing in
trying to route my Personal Computer's network traffic to a TUN interface.
My objective is to modify some of its content and subsequently return the
traffic back.


So far, I have successfully created a TUN interface using the following
configuration:

andersen@pc% ifconfig tun8 inet 172.16.122.1/32 172.16.122.2 up
andersen@pc% ifconfig tun8
tun8: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 172.16.122.1 --> 172.16.122.2 netmask 0xffffffff


Subsequently, I have also inspected the primary Ethernet interface, em0, as
follows:


andersen@pc % ifconfig em0
em0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=6463<RXCSUM,TXCSUM,TSO4,TSO6,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM>
ether xx:xx:xx:xx:xx:xx
inet 192.168.1.128 netmask 0xffffff00 broadcast 192.168.1.255
nd6 options=201<PERFORMNUD,DAD>
media: autoselect
status: active



And I've updated pf.conf;

set skip on { lo0 tun8 }

ext_if="em0"
tun_if="tun8"

# allow dns
pass in log quick on $ext_if inet proto { tcp udp } from any to any port 53
pass out log quick on $ext_if  inet proto { tcp udp } from any to any port
53

pass in log quick on $ext_if
pass out log quick on $ext_if route-to (tun8 (tun8)) no state
pass out log quick on $tun_if reply-to (em0 (em0))
--

I implemented a small C program that reads packets from /dev/tun8 and
writes them back to the same device. During the writing phase, I have
attempted to add a 4-byte TUN header (with AF_INET byte). The issue arises
when I enable pf, as my connectivity ceases to function. I suspect that the
problem may be linked to the reply-to rule. I can accurately read all
network packets, but my network connectivity is disrupted when I activate
pf.

Are there any thoughts about what I'm doing wrong?

Thanks!

Here is a sample from pflog;

andersen@pc% sudo tcpdump -nettti pflog0

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 246
bytes

 00:00:00.000000 rule 6/0(match): pass out on em0: 192.168.1.128.52553 >
17.248.173.70.443: Flags [S], seq 1289016582, win 65535, options [mss
1460,nop,wscale 6,nop,nop,TS val 1617830816 ecr 0,sackOK,eol], length 0

 00:00:00.005332 rule 6/0(match): pass out on em0: 192.168.1.128.52569 >
17.248.172.107.443: Flags [S], seq 1886843796, win 65535, options [mss
1460,nop,wscale 6,nop,nop,TS val 386220006 ecr 0,sackOK,eol], length 0

 00:00:00.178005 rule 6/0(match): pass out on em0: 192.168.1.128.52554 >
17.248.172.208.443: Flags [S], seq 3787270145, win 65535, options [mss
1460,nop,wscale 6,nop,nop,TS val 1898437799 ecr 0,sackOK,eol], length 0

 00:00:00.079092 rule 6/0(match): pass out on em0: 192.168.1.128.52570 >
17.248.173.83.443: Flags [S], seq 606598735, win 65535, options [mss
1460,nop,wscale 6,nop,nop,TS val 2940552698 ecr 0,sackOK,eol], length 0

 00:00:00.174093 rule 6/0(match): pass out on em0: 192.168.1.128.52555 >
17.248.172.172.443: Flags [S], seq 1449413825, win 65535, options [mss
1460,nop,wscale 6,nop,nop,TS val 212268682 ecr 0,sackOK,eol], length 0

 00:00:00.079048 rule 6/0(match): pass out on em0: 192.168.1.128.52571 >
17.248.172.135.443: Flags [S], seq 1322915507, win 65535, options [mss
1460,nop,wscale 6,nop,nop,TS val 1857621092 ecr 0,sackOK,eol], length 0

 00:00:00.251641 rule 6/0(match): pass out on em0: 192.168.1.128.52572 >
17.248.173.70.443: Flags [S], seq 4000045446, win 65535, options [mss
1460,nop,wscale 6,nop,nop,TS val 2056755864 ecr 0,sackOK,eol], length 0

 00:00:00.257416 rule 6/0(match): pass out on em0: 192.168.1.128.52573 >
17.248.172.208.443: Flags [S], seq 1732485582, win 65535, options [mss
1460,nop,wscale 6,nop,nop,TS val 1481034375 ecr 0,sackOK,eol], length 0

 00:00:00.251107 rule 6/0(match): pass out on em0: 192.168.1.128.52574 >
17.248.172.172.443: Flags [S], seq 3829285313, win 65535, options [mss
1460,nop,wscale 6,nop,nop,TS val 2878347929 ecr 0,sackOK,eol], length 0

 00:00:00.013117 rule 6/0(match): pass out on em0: 192.168.1.128.52558 >
23.53.168.52.443: Flags [S], seq 4080379298, win 65535, options [mss
1460,nop,wscale 6,nop,nop,TS val 2646123787 ecr 0,sackOK,eol], length 0

 00:00:00.000037 rule 6/0(match): pass out on em0: 192.168.1.128.52557 >
23.53.168.52.443: Flags [S], seq 357265796, win 65535, options [mss
1460,nop,wscale 6,nop,nop,TS val 4150893962 ecr 0,sackOK,eol], length 0

 00:00:02.208051 rule 6/0(match): pass out on em0: 192.168.1.128.52567 >
17.248.173.13.443: Flags [S], seq 3186783538, win 65535, options [mss
1460,nop,wscale 6,nop,nop,TS val 119993039 ecr 0,sackOK,eol], length 0

 00:00:00.077884 rule 4/0(match): pass in on em0: 192.168.1.1 > 224.0.0.1:
igmp query v2

 00:00:00.175705 rule 6/0(match): pass out on em0: 192.168.1.128.52568 >
17.248.172.177.443: Flags [S], seq 1856508746, win 65535, options [mss
1460,nop,wscale 6,nop,nop,TS val 2360328967 ecr 0,sackOK,eol], length 0

 00:00:00.255099 rule 6/0(match): pass out on em0: 192.168.1.128.52569 >
17.248.172.107.443: Flags [S], seq 1886843796, win 65535, options [mss
1460,nop,wscale 6,nop,nop,TS val 386224007 ecr 0,sackOK,eol], length 0

 00:00:00.256351 rule 6/0(match): pass out on em0: 192.168.1.128.52570 >
17.248.173.83.443: Flags [S], seq 606598735, win 65535, options [mss
1460,nop,wscale 6,nop,nop,TS val 2940556698 ecr 0,sackOK,eol], length 0

 00:00:00.182384 rule 6/0(match): pass out on em0: 192.168.1.128.52575 >
52.202.88.98.80: Flags [SEW], seq 2536687563, win 65535, options [mss
1460,nop,wscale 6,nop,nop,TS val 4076314596 ecr 0,sackOK,eol], length 0

 00:00:00.072401 rule 6/0(match): pass out on em0: 192.168.1.128.52571 >
17.248.172.135.443: Flags [S], seq 1322915507, win 65535, options [mss
1460,nop,wscale 6,nop,nop,TS val 1857625093 ecr 0,sackOK,eol], length 0

 00:00:00.250291 rule 6/0(match): pass out on em0: 192.168.1.128.52572 >
17.248.173.70.443: Flags [S], seq 4000045446, win 65535, options [mss
1460,nop,wscale 6,nop,nop,TS val 2056759864 ecr 0,sackOK,eol], length 0

 00:00:00.259099 rule 6/0(match): pass out on em0: 192.168.1.128.52573 >
17.248.172.208.443: Flags [S], seq 1732485582, win 65535, options [mss
1460,nop,wscale 6,nop,nop,TS val 1481038376 ecr 0,sackOK,eol], length 0

 00:00:00.067104 rule 6/0(match): pass out on em0: 192.168.1.128.52535 >
17.248.173.50.443: Flags [S], seq 1900937235, win 65535, options [mss
1460,sackOK,eol], length 0

 00:00:00.184108 rule 6/0(match): pass out on em0: 192.168.1.128.52574 >
17.248.172.172.443: Flags [S], seq 3829285313, win 65535, options [mss
1460,nop,wscale 6,nop,nop,TS val 2878351930 ecr 0,sackOK,eol], length 0

 00:00:00.068105 rule 6/0(match): pass out on em0: 192.168.1.128.52536 >
17.248.172.140.443: Flags [S], seq 949915843, win 65535, options [mss
1460,sackOK,eol], length 0

 00:00:00.099102 rule 6/0(match): pass out on em0: 192.168.1.128.52575 >
52.202.88.98.80: Flags [S], seq 2536687563, win 65535, options [mss
1460,nop,wscale 6,nop,nop,TS val 4076315597 ecr 0,sackOK,eol], length 0

 00:00:00.156140 rule 6/0(match): pass out on em0: 192.168.1.128.52537 >
17.248.173.47.443: Flags [S], seq 4291447773, win 65535, options [mss
1460,sackOK,eol], length 0

 00:00:00.249211 rule 6/0(match): pass out on em0: 192.168.1.128.52538 >
17.248.172.143.443: Flags [S], seq 3919897475, win 65535, options [mss
1460,sackOK,eol], length 0

 00:00:00.080060 rule 4/0(match): pass in on em0: 192.168.1.113 >
224.0.0.251: igmp v2 report 224.0.0.251

 00:00:00.000013 rule 4/8(ip-option): pass in on em0: 192.168.1.113 >
224.0.0.251: igmp v2 report 224.0.0.251

 00:00:00.178027 rule 6/0(match): pass out on em0: 192.168.1.128.52539 >
17.248.172.145.443: Flags [S], seq 2733256530, win 65535, options [mss
1460,sackOK,eol], length 0

 00:00:00.260088 rule 6/0(match): pass out on em0: 192.168.1.128.52540 >
17.248.173.72.443: Flags [S], seq 2510868264, win 65535, options [mss
1460,sackOK,eol], length 0

 00:00:00.077581 rule 6/0(match): pass out on em0: 192.168.1.128.52575 >
52.202.88.98.80: Flags [S], seq 2536687563, win 65535, options [mss
1460,nop,wscale 6,nop,nop,TS val 4076316598 ecr 0,sackOK,eol], length 0

 00:00:00.169834 rule 6/0(match): pass out on em0: 192.168.1.128.52541 >
17.248.173.17.443: Flags [S], seq 4064197090, win 65535, options [mss
1460,sackOK,eol], length 0

 00:00:00.262106 rule 6/0(match): pass out on em0: 192.168.1.128.52542 >
17.248.172.169.443: Flags [S], seq 2004744821, win 65535, options [mss
1460,sackOK,eol], length 0

 00:00:00.569095 rule 6/0(match): pass out on em0: 192.168.1.128.52575 >
52.202.88.98.80: Flags [S], seq 2536687563, win 65535, options [mss
1460,nop,wscale 6,nop,nop,TS val 4076317599 ecr 0,sackOK,eol], length 0

 00:00:01.001092 rule 6/0(match): pass out on em0: 192.168.1.128.52575 >
52.202.88.98.80: Flags [S], seq 2536687563, win 65535, options [mss
1460,nop,wscale 6,nop,nop,TS val 4076318600 ecr 0,sackOK,eol], length 0

 00:00:01.001015 rule 6/0(match): pass out on em0: 192.168.1.128.52575 >
52.202.88.98.80: Flags [S], seq 2536687563, win 65535, options [mss
1460,nop,wscale 6,nop,nop,TS val 4076319601 ecr 0,sackOK,eol], length 0

 00:00:00.210129 rule 6/0(match): pass out on em0: 192.168.1.128 >
224.0.0.251: igmp v2 report 224.0.0.251

 00:00:00.000008 rule 6/8(ip-option): pass out on em0: 192.168.1.128 >
224.0.0.251: igmp v2 report 224.0.0.251

 00:00:01.789845 rule 6/0(match): pass out on em0: 192.168.1.128.52575 >
52.202.88.98.80: Flags [S], seq 2536687563, win 65535, options [mss
1460,nop,wscale 6,nop,nop,TS val 4076321601 ecr 0,sackOK,eol], length 0

 00:00:00.049125 rule 6/0(match): pass out on em0: 192.168.1.128.52567 >
17.248.173.13.443: Flags [S], seq 3186783538, win 65535, options [mss
1460,nop,wscale 6,nop,nop,TS val 120001040 ecr 0,sackOK,eol], length 0

 00:00:00.253820 rule 6/0(match): pass out on em0: 192.168.1.128.52568 >
17.248.172.177.443: Flags [S], seq 1856508746, win 65535, options [mss
1460,nop,wscale 6,nop,nop,TS val 2360336968 ecr 0,sackOK,eol], length 0

 00:00:00.015155 rule 4/0(match): pass in on em0: 192.168.1.113 >
239.255.255.250: igmp v2 report 239.255.255.250

 00:00:00.000008 rule 4/8(ip-option): pass in on em0: 192.168.1.113 >
239.255.255.250: igmp v2 report 239.255.255.250

 00:00:00.239733 rule 6/0(match): pass out on em0: 192.168.1.128.52569 >
17.248.172.107.443: Flags [S], seq 1886843796, win 65535, options [mss
1460,nop,wscale 6,nop,nop,TS val 386232008 ecr 0,sackOK,eol], length 0

 00:00:00.256105 rule 6/0(match): pass out on em0: 192.168.1.128.52570 >
17.248.173.83.443: Flags [S], seq 606598735, win 65535, options [mss
1460,nop,wscale 6,nop,nop,TS val 2940564699 ecr 0,sackOK,eol], length 0

 00:00:00.254099 rule 6/0(match): pass out on em0: 192.168.1.128.52571 >
17.248.172.135.443: Flags [S], seq 1322915507, win 65535, options [mss
1460,nop,wscale 6,nop,nop,TS val 1857633093 ecr 0,sackOK,eol], length 0

 00:00:00.250162 rule 6/0(match): pass out on em0: 192.168.1.128.52572 >
17.248.173.70.443: Flags [S], seq 4000045446, win 65535, options [mss
1460,nop,wscale 6,nop,nop,TS val 2056767864 ecr 0,sackOK,eol], length 0

 00:00:00.260080 rule 6/0(match): pass out on em0: 192.168.1.128.52573 >
17.248.172.208.443: Flags [S], seq 1732485582, win 65535, options [mss
1460,nop,wscale 6,nop,nop,TS val 1481046377 ecr 0,sackOK,eol], length 0

 00:00:00.250360 rule 6/0(match): pass out on em0: 192.168.1.128.52574 >
17.248.172.172.443: Flags [S], seq 3829285313, win 65535, options [mss
1460,nop,wscale 6,nop,nop,TS val 2878359931 ecr 0,sackOK,eol], length 0

 00:00:00.167165 rule 6/0(match): pass out on em0: 192.168.1.128.52544 >
104.18.17.94.443: Flags [S], seq 2289584627, win 65535, options [mss
1460,sackOK,eol], length 0

 00:00:00.255769 rule 6/0(match): pass out on em0: 192.168.1.128.52545 >
104.18.16.94.443: Flags [S], seq 2611325305, win 65535, options [mss
1460,sackOK,eol], length 0

Using pf route-to to Route Network Traffic a tun interface and Replying from it

Reply via email to