> Nevertheless, writing egress or $ext_If, what difference does it really
> make? You're just repeating a different word. Lol
It doesn't make any difference for me.
Being curious I added em0 do egress group and restarted all intefaces. However, em0 seems not to be in ergess group and the rule with egress still doesn't work:
match out log on egress from $int_if:network to any nat-to $ext_carpif
# cat /etc/hostname.em0
-inet
group egress
up
# ifconfig em0
em0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0d:b9:59:e0:90
index 1 priority 0 llprio 3
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
# ifconfig egress
carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:5e:00:01:01
description: WAN_KRZ
index 7 priority 15 llprio 3
carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 0
groups: carp egress
status: master
inet 10.0.15.216 netmask 0xffffff00 broadcast 10.0.15.255
# ifconfig carp0
carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:5e:00:01:01
description: WAN_KRZ
index 7 priority 15 llprio 3
carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 0
groups: carp egress
status: master
inet 10.0.15.216 netmask 0xffffff00 broadcast 10.0.15.255
> Does that rule you posted error out or are you just seeing blocks with it?
Just seeing blocks.
> https://www.openbsd.org/faq/pf/filter.html#syntax
>
> "The egress group, which contains the interface(s) that holds the default route(s)."
So.. carp0 contains default route, carp0 is in egress group.
carp0 refers to em0.
But...
match out log on carp0... - doesn't work
match out log on egress... - doesn't work
match out log on em0... - works!
I dont know...
On Sun, 28 Apr 2024 13:44:05 -0400
Mike <rizzz2pro@gmail.com> wrote:
> Oh now I remember, you might need to add it to the egress interface group.
>
> Does that rule you posted error out or are you just seeing blocks with it?
>
>
> On Sun, Apr 28, 2024, 12:49 PM Mike <rizzz2pro@gmail.com> wrote:
>
> > If I remember right, you can run 'ifconfig' and see if that interface is
> > marked as an egress interface or not. I can't remember how OBSD determines
> > what interfaces are egress or not but your em0 seems to be in a private
> > network so it might not be classifying itself as egress.
> >
> > Nevertheless, writing egress or $ext_If, what difference does it really
> > make? You're just repeating a different word. Lol
> >
> > On Sun, Apr 28, 2024, 12:08 PM Radek <rdk@int.pl> wrote:
> >
> >> > change $lan_if to $int_if, change (egress:0) to $ext_carpif, and it
> >> will work as the rule you say works.
> >> I made minor changes and tested the egress version.
> >>
> >> ext_if = "em0"
> >> ext_carpif = "carp0"
> >> int_if = "carp2"
> >> This rule works for me:
> >> match out log on $ext_if from $int_if:network to any nat-to $ext_carpif
> >>
> >> It seems it should work fine as well but it doesn't:
> >> match out log on egress from $int_if:network to any nat-to $ext_carpif
> >>
> >>
> >> On Thu, 25 Apr 2024 13:53:32 -0700
> >> obsdml@loopw.com wrote:
> >>
> >> >
> >> >
> >> > > On Apr 25, 2024, at 10:36 AM, Radek <rdk@int.pl> wrote:
> >> > >
> >> > > Thank you for all your hints.
> >> > >
> >> > >> match out on egress from $lan_if:network to any nat-to (egress:0)
> >> > > This rule doesn't work.
> >> >
> >> > change $lan_if to $int_if, change (egress:0) to $ext_carpif, and it
> >> will work as the rule you say works.
> >> >
> >> >
> >> > fwiw, the $lan_if came from your configs existing "match"
> >> >
> >> > https://www.openbsd.org/faq/pf/filter.html#syntax - under "interface"
> >> you can find out about "egress". I definitely prefer it to hard coding an
> >> interface in yet another line of a pf.conf
> >> >
> >> > I was presuming you didnt mind matching to $ext_if's ip for new
> >> sessions outbound, hence (egress:0). Matching to the carp ip works. (this
> >> is basically a source nat rule in commercial-network-vendor speak)
> >> >
> >> >
> >> > >
> >> > >> ext_if=em0
> >> > >> int_if=vlan2
> >> > >> ext_carpIf=carp0
> >> >
> >> > >> match out on $ext_if inet from $int_if:network to any nat-to
> >> $ext_carpIf
> >> > > This rule works as expected.
> >> >
> >>
> >>
> >> Radek
> >>
> >>
Radek
No comments:
Post a Comment