pf multiple match rules

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

pf multiple match rules

Marko Cupać
Hi,

with the following two match lines:

match out on $ext_if from 192.168.1.0/24 to any nat-to X.X.X.X
match out on $ext_if from 192.168.1.55 to any nat-to Y.Y.Y.Y

and the following pass line:

pass in on $int_if inet proto tcp from 192.168.1.55 to any

will the packets be translated to X.X.X.X or Y.Y.Y.Y?

Regards,

--
Marko Cupać

Reply | Threaded
Open this post in threaded view
|

Re: pf multiple match rules

Gilles Cafedjian
On 05/06/2014 12:54 PM, Marko Cupać wrote:

> Hi,
>
> with the following two match lines:
>
> match out on $ext_if from 192.168.1.0/24 to any nat-to X.X.X.X
> match out on $ext_if from 192.168.1.55 to any nat-to Y.Y.Y.Y
>
> and the following pass line:
>
> pass in on $int_if inet proto tcp from 192.168.1.55 to any
>
> will the packets be translated to X.X.X.X or Y.Y.Y.Y?
>
> Regards,
>
I think the first thing happening is to let pass the packet from
192.168.1.55 in the router, then the first match rule will be applied,
translating the packet to X.X.X.X and the second will never match.
A simple way to know is to add 2 rules:
pass log out on $ext_if inet proto tcp from X.X.X.X
pass log out on $ext_if inet proto tcp from Y.Y.Y.Y

then tcpdump -i pflog0.

Reply | Threaded
Open this post in threaded view
|

Re: pf multiple match rules

Henning Brauer
In reply to this post by Marko Cupać
* Marko Cupać <[hidden email]> [2014-05-06 12:55]:

> Hi,
>
> with the following two match lines:
>
> match out on $ext_if from 192.168.1.0/24 to any nat-to X.X.X.X
> match out on $ext_if from 192.168.1.55 to any nat-to Y.Y.Y.Y
>
> and the following pass line:
>
> pass in on $int_if inet proto tcp from 192.168.1.55 to any
>
> will the packets be translated to X.X.X.X or Y.Y.Y.Y?

unable to say without knowing X.X.X.X.
packets hitting the first rule will get their src rewritten to
X.X.X.X.
if X.X.X.X happens to be 192.168.1.55, these packets will match your
second match rule, if X.X.X.X is anything else, they won't.
If Y.Y.Y.Y happens to be 192.168.1.55, these packets will match the
pass rule, otherwise they won't.

I'm really saying here that rewrites are applied immediately (hurts a
little to say that since I know the internals, but that's what the
user visible side is).

--
Henning Brauer, [hidden email], [hidden email]
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/

Reply | Threaded
Open this post in threaded view
|

Re: pf multiple match rules

Marko Cupać
Thank you for reply.

I have been trying some trial and error tests, and I came to similar
conclusion, but I would like to understand the design idea behind match
rule.

Who wins, the first or the last matching rule? Or do they all stick
together? What if they are conflicting, like in this case?

Thank you in advance,
--
Marko Cupać

Reply | Threaded
Open this post in threaded view
|

Re: pf multiple match rules

Gilles Cafedjian
On 05/07/2014 12:17 PM, Marko Cupać wrote:

> Thank you for reply.
>
> I have been trying some trial and error tests, and I came to similar
> conclusion, but I would like to understand the design idea behind match
> rule.
>
> Who wins, the first or the last matching rule? Or do they all stick
> together? What if they are conflicting, like in this case?
>
> Thank you in advance,
As Henning Brauer said, the rewrite are applied immediately. So the
first match rule will rewrite IP from the packet and the second match
will be evaluated on the new IP rewritten.
There is no win, the packet is passed thru all match rules and the
action is applied directly if it match, from first to last.

Reply | Threaded
Open this post in threaded view
|

Re: pf multiple match rules

Marko Cupać
On Wed, 07 May 2014 12:23:12 +0200
Blaise Hizded <[hidden email]> wrote:

> As Henning Brauer said, the rewrite are applied immediately. So the
> first match rule will rewrite IP from the packet and the second match
> will be evaluated on the new IP rewritten.
> There is no win, the packet is passed thru all match rules and the
> action is applied directly if it match, from first to last.

Oh, I understand now, thank you for your explanation. Second match rule
would not trigger simply because source address of every request from
192.168.1.0/24 is already rewritten with the first match rule, so
packet coming from 192.168.1.55 is actualy already counted as coming
from translated public address X.X.X.X.
--
Marko Cupać

Reply | Threaded
Open this post in threaded view
|

Re: pf multiple match rules

Gilles Cafedjian
On 05/07/2014 12:41 PM, Marko Cupać wrote:

> On Wed, 07 May 2014 12:23:12 +0200
> Blaise Hizded <[hidden email]> wrote:
>
>> As Henning Brauer said, the rewrite are applied immediately. So the
>> first match rule will rewrite IP from the packet and the second match
>> will be evaluated on the new IP rewritten.
>> There is no win, the packet is passed thru all match rules and the
>> action is applied directly if it match, from first to last.
> Oh, I understand now, thank you for your explanation. Second match rule
> would not trigger simply because source address of every request from
> 192.168.1.0/24 is already rewritten with the first match rule, so
> packet coming from 192.168.1.55 is actualy already counted as coming
> from translated public address X.X.X.X.
Yes exactly, except if X.X.X.X is 192.168.1.55, then the second match
rule will rewrite it to Y.Y.Y.Y.
But it's the only case where your second rule can match.