Hi, According to pf.conf man:
"When the interface name is surrounded by parentheses, the rule is
automatically updated whenever the interface changes its address. The ruleset
does not need to be reloaded. This is especially useful with NAT."
In fact it is not true. Moreover, even reloading of ruleset is helpless. System
have to be rebooted in order to take changes into account.
I have two interfaces - vio1 (172.16.0.2/24, external) and vio2
(192.168.0.2/24, internal). I have also configured route to 172.16.1.0/24 via
172.16.0.3.
obsd-02# ifconfig vio1
vio1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 12:22:01:00:00:00
index 2 priority 0 llprio 3
media: Ethernet autoselect
status: active
inet 172.16.0.2 netmask 0xffffff00 broadcast 172.16.0.255
obsd-02# ifconfig vio2
vio2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 12:22:02:00:00:00
index 3 priority 0 llprio 3
media: Ethernet autoselect
status: active
inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255
obsd-02#
obsd-02# netstat -rn -f inet | grep 172.16.1
172.16.1/24 172.16.0.2 UGS 0 809 - 8 vio1
obsd-02#
I have configured NAT for traffic outgoing vio1:
obsd-02# pfctl -s rule
block return all
pass all flags S/SA
block return in on ! lo0 proto tcp from any to any port 6000:6010
block return out log proto tcp all user = 55
block return out log proto udp all user = 55
pass out on vio1 inet from 192.168.0.0/24 to any flags S/SA nat-to (vio1)
round-robin
obsd-02#
Incoming traffic on vio2 (from 192.168.0.4 to 172.16.1.3) is successfully
NAT'ed out of vio1.
Then I change address of vio1 from 172.16.0.2/24 to, for example, 172.16.0.5/24.
obsd-02# ifconfig vio1 172.16.0.5/24
obsd-02# ifconfig vio1
vio1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 12:22:01:00:00:00
index 2 priority 0 llprio 3
media: Ethernet autoselect
status: active
inet 172.16.0.5 netmask 0xffffff00 broadcast 172.16.0.255
obsd-02#
As a result, the route to 172.16.1.0/24 via 172.16.0.3 is deleted from routing
table, though there are no valid reason to delete it, because interface address
was replaced, not (from perspective of the user) removed/added. Moreover, the
route is deleted even if I don't change address, but just re-issue 'ifconfig
<ifname>' with already assigned address.
obsd-02# ifconfig vio1
vio1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 12:22:01:00:00:00
index 2 priority 0 llprio 3
media: Ethernet autoselect
status: active
inet 172.16.0.5 netmask 0xffffff00 broadcast 172.16.0.255
obsd-02# netstat -rn -f inet | grep 172.16.1
172.16.1/24 172.16.0.3 UGS 0 25 - 8 vio1
obsd-02# ifconfig vio1 172.16.0.5/24
obsd-02# ifconfig vio1
vio1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 12:22:01:00:00:00
index 2 priority 0 llprio 3
media: Ethernet autoselect
status: active
inet 172.16.0.5 netmask 0xffffff00 broadcast 172.16.0.255
obsd-02# netstat -rn -f inet | grep 172.16.1
obsd-02#
I re-create route to 172.16.1.0/24 via 172.16.0.3.
obsd-02# route add 172.16.1.0/24 172.16.0.3
add net 172.16.1.0/24: gateway 172.16.0.3
obsd-02# netstat -rn -f inet | grep 172.16.1
172.16.1/24 172.16.0.3 UGS 0 2 - 8 vio1
obsd-02#
PF still uses old address of vio1 (172.16.0.2) as a source address in NAT'ed
outgoing packets.
Bonus: the third problem - while I use flag -n in 'netstat' command, default
route is nevertheless displayed as 'default' rather than '0.0.0.0/0'.
obsd-02# netstat -r -f inet | grep default
default 100.64.5.254 UGS 0 415 - 8 vio0
obsd-02# netstat -rn -f inet | grep default
default 100.64.5.254 UGS 0 419 - 8 vio0
obsd-02#
Output of 'sendbug' is attached (sendbug.txt).
Thanks in advance.
sendbug.txt
Description: application/applefile
