PF route-to and divert-packet
Hi Misc,
I’m trying to use policy based routing (route-to) with divert-packet feature.
I’m just using example code written at divert’s man page. (man divert)
I’ve two WAN interfaces which are pppoe0(default gw) and pppoe.
Those pf rules works below:
#
pass in log quick on vether10 inet proto udp from 10.10.10.52 to any port 53
pass in log quick on vether10 inet proto tcp from 10.10.10.52 to any port { 80
443 } route-to (pppoe1 (pppoe1))
pass out log quick on pppoe1 inet proto tcp from 10.10.10.52 to any nat-to
(pppoe1)
But when I add divert-packet into NAT lines as this:
pass out log quick on pppoe1 inet proto tcp from 10.10.10.52 to any
divert-packet port 700 nat-to (pppoe1)
It fails. What should I do for using route-to (+) divert-packet feature
together.
Please help. Thanks.
PF route-to and divert-packet
Hi Misc,
I’m trying to use policy based routing (route-to) with divert-packet feature.
I’m just using example code written at divert’s man page. (man divert)
I’ve two wan interfaces which are pppoe0(default gw) and pppoe1
Those pf rules works below:
#
pass in log quick on vether10 inet proto udp from 10.10.10.52 to any port 53
…
#
pass in log quick on vether10 inet proto tcp from 10.10.10.52 to any port { 80
443 } route-to (pppoe1 (pppoe1))
pass out log quick on pppoe1 inet proto tcp from 10.10.10.52 to any nat-to
(pppoe1)
But when I add divert-packet into NAT lines as this:
pass out log quick on pppoe1 inet proto tcp from 10.10.10.52 to any
divert-packet port 700 nat-to (pppoe1)
It fails. What should I do for using route-to (+) divert-packet feature
together.
Please help. Thanks.
Sent with [ProtonMail](https://protonmail.com) Secure Email.
Re: route-to and divert-packet
The code says it well - after your divert(4) client reinjects the
packet back into the kernel, it bypasses any pf checks and goes
straight to the {ip_,ip6_}output function because of possible loops.
That's all perfectly sensible, and I feel more likely to hurt myself
if I could get a packet to go back into pf.
What exactly are you trying to accomplish here, with the
combination of these two?
I have two network connections I want to load balance. I'm using the
example rules here: http://www.openbsd.org/faq/pf/pools.html#outgoing
Those work great, without the divert-packet. And the divert-packet
works great, if I only have one internet connection. But I'm trying
to get them to both be applied.
2010/10/4 Martin Pelikan martin.peli...@gmail.com:
2010/10/3, Daniel Browning-Weber weber...@gmail.com:
Okay, and the divert (4) man page says that outbound packets,
after being reinjected, are processed directly by the relevant
IP/IPv6 output function, so I probably can't get pf to take
another look at them so that route-to will apply.
If I were feeling brave and wanted to mess with this in the
kernel, should I try to get the packet's routing changed
after processing? Or would it be less insane for me to
try to play with the routing before the divert?
The code says it well - after your divert(4) client reinjects the
packet back into the kernel, it bypasses any pf checks and goes
straight to the {ip_,ip6_}output function because of possible loops.
What exactly are you trying to accomplish here, with the combination
of these two?
Please be more specific about your goals, not just the technical stuff
around.
I'm not sure about this though, but passing the packet to divert app
and changing IP headers _in there_ should suffice for most what you'd
accomplish using route-to (now I'm waiting for the cold-shower of
corrections and RTFM's). Provided that your routing table is
consistent with what you want to do, of course.
--
Martin Pelikan
Re: route-to and divert-packet
2010/10/3, Daniel Browning-Weber weber...@gmail.com:
Okay, and the divert (4) man page says that outbound packets,
after being reinjected, are processed directly by the relevant
IP/IPv6 output function, so I probably can't get pf to take
another look at them so that route-to will apply.
If I were feeling brave and wanted to mess with this in the
kernel, should I try to get the packet's routing changed
after processing? Or would it be less insane for me to
try to play with the routing before the divert?
The code says it well - after your divert(4) client reinjects the
packet back into the kernel, it bypasses any pf checks and goes
straight to the {ip_,ip6_}output function because of possible loops.
What exactly are you trying to accomplish here, with the combination
of these two?
Please be more specific about your goals, not just the technical stuff around.
I'm not sure about this though, but passing the packet to divert app
and changing IP headers _in there_ should suffice for most what you'd
accomplish using route-to (now I'm waiting for the cold-shower of
corrections and RTFM's). Provided that your routing table is
consistent with what you want to do, of course.
--
Martin Pelikan
Re: route-to and divert-packet
Il giorno lun, 04/10/2010 alle 10.03 -0400, Daniel Browning-Weber ha scritto: Those work great, without the divert-packet. And the divert-packet works great, if I only have one internet connection. But I'm trying to get them to both be applied. I'll look into that in the next few days, i'm running in short of time currently... :)
Re: route-to and divert-packet
Il giorno ven, 01/10/2010 alle 18.15 -0400, Daniel Browning-Weber ha scritto: Is the use of both route-to and divert-packet in the same PF rule supported? divert-packet should be currently used alone. It sends the packet up to userspace and any other options are lost.
Re: route-to and divert-packet
Okay, and the divert (4) man page says that outbound packets, after being reinjected, are processed directly by the relevant IP/IPv6 output function, so I probably can't get pf to take another look at them so that route-to will apply. If I were feeling brave and wanted to mess with this in the kernel, should I try to get the packet's routing changed after processing? Or would it be less insane for me to try to play with the routing before the divert? On Sun, Oct 3, 2010 at 6:52 AM, Michele Marchetto myde...@openbeer.it wrote: Il giorno ven, 01/10/2010 alle 18.15 -0400, Daniel Browning-Weber ha scritto: Is the use of both route-to and divert-packet in the same PF rule supported? divert-packet should be currently used alone. It sends the packet up to userspace and any other options are lost.
route-to and divert-packet
Is the use of both route-to and divert-packet in the same PF rule supported? I have two rules of the form: pass out log quick on $ext_if1 inet from $internal_lan to any flags S/SA \ keep state scrub (reassemble tcp) route-to ( $ext_if1 $ext_if1_gw ) \ nat-to ( $ext_if1:0 ) divert-packet port 500 pass out log quick on $ext_if2 inet from $internal_lan to any flags S/SA \ keep state scrub (reassemble tcp) route-to ( $ext_if2 $ext_if2_gw ) \ nat-to ( $ext_if2:0 ) divert-packet port 500 The behavior seems the same if I leave out the route-to statements: packets going out over the wrong interface more than half the time. OpenBSD 4.7/i386 # dmesg | head -3 OpenBSD 4.7 (GENERIC) #558: Wed Mar 17 20:46:15 MDT 2010 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Celeron(R) M processor 1.50GHz (GenuineIntel 686-class) 1.50 GHz
