Hi
Le 06/08/2014 15:15, Stuart Henderson a écrit :
> On 2014-08-04, Christophe <t...@stuxnet.org> wrote:
>> Second question :
>> I used to write route-to and reply-to rules in pf.conf in a static context.
>> As far as I've seen, there are modifiers on interface specifications
>> like :network or :peer. But is there a :gateway or something similar
>> telling pf to use the defaut gateway learned by DHCP on the specified
>> interface ?
>
> No, there is no modifier to do this. That information ("gateway learned
> by dhcp on XX") isn't passed to the kernel.
>
> What you could do instead, is use dhclient -L to write the lease information
> to a file, then watch that file for changes (sysutils/entr in ports is good
> to trigger running a script based on this), parse the relevant lines, and
> reload your PF rules with the -D flag to set macros (e.g. "pfctl -D
> ext_gw1=$someaddr -D ext_gw2=$otheraddr -f /etc/pf.conf").
>
Thanks for your reply Stuart.
I found the way to do the *first step* of the case using "rdomain" in
interfaces configuration, and rtable keyword in pf.conf.
Here is the conf, considering em0 for first WAN access (DHCP), em1 for
second WAN access (also DHCP) , and em2 for interco network with the LAN :
# cat /etc/hostname.em0
rdomain 0
dhcp
# cat /etc/hostname.em1
rdomain 1
dhcp
# cat /etc/hostname.em2
inet 172.18.170.1 255.255.255.0 172.18.170.255
# cat /etc/pf.conf
set skip on lo
set loginterface pflog0
block in log
pass out
pass in on em2
pass in on em2 inet proto tcp from em2:network to any port { 80, 443 }
rtable 1 keep state
pass in on em2 to em2
pass in on em0 inet proto tcp from any to em0 port 22 rdr-to
172.18.170.10 port 22 keep state
pass in on em1 inet proto tcp from any to em1 port 22 rdr-to
172.18.170.10 port 22 rtable 0 keep state
match out on em0 from em2:network to any nat-to em0
match out on em1 from em2:network to any nat-to em1
Your way is also interesting for the second part of the case ;) .
Regards,
Christophe.
