Apparent problem with divert-to rule parsing

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Apparent problem with divert-to rule parsing

gpontis
While porting a 4.9 pf.conf to 5.2 I came across something that looks  
like it might be a bug. The affected line was the pass in rule to send  
forward FTP requests to the proxy on the firewall.

The following rule would not load:

pass in quick on $IntIf inet proto tcp to port ftp divert-to lo0 port 8021

The error message was:

pf.conf:207: address family mismatch for divert

If lo0 is replaced with 127.0.0.1 then it loads and works correctly.  
However, 127.0.0.1 is properly substituted for lo0 when using rdr-to.

George
Reply | Threaded
Open this post in threaded view
|

Re: Apparent problem with divert-to rule parsing

Stuart Henderson
On 2012/11/19 00:02, [hidden email] wrote:

> While porting a 4.9 pf.conf to 5.2 I came across something that looks
> like it might be a bug. The affected line was the pass in rule to
> send forward FTP requests to the proxy on the firewall.
>
> The following rule would not load:
>
> pass in quick on $IntIf inet proto tcp to port ftp divert-to lo0 port 8021
>
> The error message was:
>
> pf.conf:207: address family mismatch for divert
>
> If lo0 is replaced with 127.0.0.1 then it loads and works correctly.
> However, 127.0.0.1 is properly substituted for lo0 when using rdr-to.
>
> George

It would be nice if this worked, though it looks like it's non-trivial
to do (rdr-to is parsed in a different way to divert-to) - however, I'd
like to make sure that at least the documentation for ftp-proxy is
correct, did you find this rule in documentation somewhere?
Reply | Threaded
Open this post in threaded view
|

Re: Apparent problem with divert-to rule parsing

gpontis
In reply to this post by gpontis
> > The following rule would not load:
> >
> > pass in quick on $IntIf inet proto tcp to port ftp divert-to lo0 port
> 8021
> >
> > The error message was:
> >
> > pf.conf:207: address family mismatch for divert
> >
> > If lo0 is replaced with 127.0.0.1 then it loads and works correctly.
> > However, 127.0.0.1 is properly substituted for lo0 when using rdr-to.
> >
> > George
>
> It would be nice if this worked, though it looks like it's non-trivial
> to do (rdr-to is parsed in a different way to divert-to) - however, I'd
> like to make sure that at least the documentation for ftp-proxy is
> correct, did you find this rule in documentation somewhere?

The only place where I found divert-to being referenced was in the  
ftp-proxy documentation, and it was shown with "127.0.0.1". It was I  
that made the switch to lo0, to be consistent with other rules in the  
pf.conf.

Geo.