pf rdr vs bridge; unable to reach gateway's interfaces

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

pf rdr vs bridge; unable to reach gateway's interfaces

Richard Johnson-8
I've got a problem with pf rdr rules on a bridging gateway running 3.9
stable.  It's not able to redirect packets to the gateway's interfaces.

This is for a wireless access control system that is, typical of such,
intended to redirect http connections to a landing page on the client-facing
interface of the gateway.

The problem is while the rdr rules fire (confirmed with pf log directive)
and the subsequent pass rules also fire (confirmed with pf log directive),
the packets are then sent across the bridge rather than being dropped onto
the client-facing interface (confirmed with tcpdump).

In contrast, hitting the client-facing interface of the gateway directly
with a web browser does get the client to the landing page.

Even setting up a virtual host listening on 127.0.0.1 and making it the
target of the redirection doesn't work; the packets for 127.0.0.1 are sent
across the bridge.  This seems rather surreal, seeing packets destined for
127.0.0.1 heading outbound...

This is different from the behavior documented in the man page for pf.conf,
and from the behavior seen with a similar ruleset and interface config in
OpenBSD 3.0 and 3.2 (difference is use of table instead of one rdr rule per
IP).

Has something gone wrong with rdr and bridging?  Is there a known problem
with some em cards (such as the dual-interface card I'm using: 82546GB) and
bridging that could be causing this behavior?

Details follow.  Thanks for any insight you might be able to give me for
debugging this.


Richard

-------
pf.conf:

maint_if = "em0"
air_if = "em1"
wire_if = "em2"
table <our_users> persist
table <air_net> { 128.117.228.0/22 }
#web_rdr_dest = "128.117.231.250"
#web_rdr_dest = "128.117.228.250"
web_rdr_dest = "127.0.0.1"

set skip on $wire_if

no rdr on $air_if inet proto tcp from <our_users> to any port http
rdr on $air_if inet proto tcp from <air_net> to any port http -> \
        $web_rdr_dest port http

pass in on $air_if proto tcp from <air_net> to $air_if \
        port { http, https } \
        keep state (max-src-conn 10, max-src-conn-rate 7/15)
pass in quick on $air_if from <our_users> to any \
        keep state (source-track rule, max-src-states 255)
pass in on $maint_if proto tcp from <maint_workstations> to $maint_if \
        port ssh flags S/SA \
        keep state (max-src-conn 10, max-src-conn-rate 7/15)

-------
bridgename.bridge0: (bridge between air_if and wire_if)

add em1 add em2
link0 link1
stp em1
stp em2
maxaddr 300
priority 37337
up

-------
hostname.em0: (maint_if)

inet 128.117.64.7 255.255.255.0 NONE

-------
hostname.em1: (air_if)

inet 128.117.231.250 255.255.252.0 NONE
inet alias 128.117.228.250 255.255.252.0 NONE

-------
hostname.em2: (wire_if)

!ifconfig em2 up

-------
dmesg:

OpenBSD 3.9-stable (GENERIC) #0: Wed Aug 30 12:55:56 MDT 2006
    root@:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(TM) CPU 2.40GHz ("GenuineIntel" 686-class) 1.07 GHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID
real mem  = 2146803712 (2096488K)
avail mem = 1952800768 (1907032K)
using 4278 buffers containing 107442176 bytes (104924K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 10/09/03, BIOS32 rev. 0 @ 0xf0010
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf0000/0x10000
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf3000/208 (11 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82801DB LPC" rev 0x00)
pcibios0: PCI bus #5 is the last bus
bios0: ROM list: 0xc0000/0xc000 0xcc000/0x1800 0xcd800/0x1000 0xce800/0x1000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel E7505 MCH Host" rev 0x03
ppb0 at pci0 dev 1 function 0 "Intel E7505 MCH AGP" rev 0x03
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "ATI Radeon VE QY" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb1 at pci0 dev 2 function 0 "Intel E7505 MCH PCI-PCI" rev 0x03
pci2 at ppb1 bus 2
"Intel 82870P2 IOxAPIC" rev 0x04 at pci2 dev 28 function 0 not configured
ppb2 at pci2 dev 29 function 0 "Intel 82870P2 PCI-PCI" rev 0x04
pci3 at ppb2 bus 3
em0 at pci3 dev 1 function 0 "Intel PRO/1000GT (82541GI)" rev 0x05: irq 5, address 00:0e:0c:77:09:8e
em1 at pci3 dev 2 function 0 "Intel PRO/1000MT (82546GB)" rev 0x03: irq 5, address 00:04:23:c0:da:9a
em2 at pci3 dev 2 function 1 "Intel PRO/1000MT (82546GB)" rev 0x03: irq 5, address 00:04:23:c0:da:9b
hifn0 at pci3 dev 3 function 0 "Hifn 7955/7954" rev 0x00: LZS 3DES ARC4 MD5 SHA1 RNG AES PK, 32KB dram, irq 5
"Intel 82870P2 IOxAPIC" rev 0x04 at pci2 dev 30 function 0 not configured
ppb3 at pci2 dev 31 function 0 "Intel 82870P2 PCI-PCI" rev 0x04
pci4 at ppb3 bus 4
uhci0 at pci0 dev 29 function 0 "Intel 82801DB USB" rev 0x02: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 29 function 1 "Intel 82801DB USB" rev 0x02: irq 7
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2 at pci0 dev 29 function 2 "Intel 82801DB USB" rev 0x02: irq 5
usb2 at uhci2: USB revision 1.0
uhub2 at usb2
uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
ehci0 at pci0 dev 29 function 7 "Intel 82801DB USB" rev 0x02: irq 9
ehci0: timed out waiting for BIOS
usb3 at ehci0: USB revision 2.0
uhub3 at usb3
uhub3: Intel EHCI root hub, rev 2.00/1.00, addr 1
uhub3: 6 ports with 6 removable, self powered
ppb4 at pci0 dev 30 function 0 "Intel 82801BA AGP" rev 0x82
pci5 at ppb4 bus 5
em3 at pci5 dev 2 function 0 "Intel PRO/1000MT (82540EM)" rev 0x02: irq 7, address 00:0e:a6:41:bf:1f
ichpcib0 at pci0 dev 31 function 0 "Intel 82801DB LPC" rev 0x02
pciide0 at pci0 dev 31 function 1 "Intel 82801DB IDE" rev 0x02: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0: <WDC WD400BB-00DKA0>
wd0: 16-sector PIO, LBA48, 38166MB, 78165360 sectors
wd1 at pciide0 channel 0 drive 1: <WDC WD400BB-00DKA0>
wd1: 16-sector PIO, LBA48, 38166MB, 78165360 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
wd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 5
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <SONY, CD-ROM CDU5211, YYS7> SCSI0 5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
ichiic0 at pci0 dev 31 function 3 "Intel 82801DB SMBus" rev 0x02: irq 10
iic0 at ichiic0
asbtm0 at iic0 addr 0x2d
auich0 at pci0 dev 31 function 5 "Intel 82801DB AC97" rev 0x02: irq 10, ICH4 AC97
ac97: codec id 0x41445360 (Analog Devices AD1885)
ac97: codec features headphone, Analog Devices Phat Stereo
audio0 at auich0
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pmsi0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pmsi0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 10: GPIO
gpio0 at nsclpcsio0: 29 pins
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
biomask efe5 netmask efe5 ttymask ffe7
pctr: user-level cycle counter enabled
dkcsum: wd0 matches BIOS drive 0x80
dkcsum: wd1 matches BIOS drive 0x81
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302