Re: Using pf route-to to Route Network Traffic a tun interface and Replying from it

David Gwynne Mon, 05 Jun 2023 04:37:33 -0700

On Tue, May 30, 2023 at 06:07:32PM +0300, Nick Andersen wrote:
> Hi Folks,


hi.

> 
> I am writing to seek assistance regarding an issue I am experiencing in
> trying to route my Personal Computer's network traffic to a TUN interface.
> My objective is to modify some of its content and subsequently return the
> traffic back.
> 
> So far, I have successfully created a TUN interface using the following
> configuration:
> 
> andersen@pc% ifconfig tun8 inet 172.16.122.1/32 172.16.122.2 up
> andersen@pc% ifconfig tun8
> tun8: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
> inet 172.16.122.1 --> 172.16.122.2 netmask 0xffffffff
> 
> 
> Subsequently, I have also inspected the primary Ethernet interface, em0, as
> follows:
> 
> 
> andersen@pc % ifconfig em0
> em0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> options=6463<RXCSUM,TXCSUM,TSO4,TSO6,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM>
> ether xx:xx:xx:xx:xx:xx
> inet 192.168.1.128 netmask 0xffffff00 broadcast 192.168.1.255
> nd6 options=201<PERFORMNUD,DAD>
> media: autoselect
> status: active
> 
> 
> 
> And I've updated pf.conf;
> 
> set skip on { lo0 tun8 }
> 
> ext_if="em0"
> tun_if="tun8"
> 
> # allow dns
> pass in log quick on $ext_if inet proto { tcp udp } from any to any port 53
> pass out log quick on $ext_if  inet proto { tcp udp } from any to any port
> 53
> 
> pass in log quick on $ext_if
> pass out log quick on $ext_if route-to (tun8 (tun8)) no state

the syntax and semantics for route-to changed before 6.9. are you
running a stable release (ie, 7.2 or preferably 7.3)?

the pf.conf syntax changed so that instead of routing to an interface
with an optional IP address, you route-to a destination IP address. the
semantic change is that route-to relies on states. so you probably want

  pass out log quick on $ext_if route-to 172.16.122.2

because pfctl will resolve interface names to ips, you can also use
this:

  pass out log quick on $ext_if route-to tun8:peer

> pass out log quick on $tun_if reply-to (em0 (em0))

you have "set skip on tun8" above, which means this rule won't run.

however, you have a problem where you don't want to route-to to
happen to the packets that are being reinjected by your program. i think
the least worst way to do that in this situation is to use the
following:

  pass out log quick on $ext_if received-on $tun_if
  pass out log quick on $ext_if route-to $tun_if:peer

if you want your program to handle packets in both directions on a
connection, you could have rules like this:

  pass out log quick on $ext_if reply-to $tun_if:peer received-on $tun_if
  pass out log quick on $ext_if route-to $tun_if:peer

you wont be able to tell the direction of the packets apart if they
all go through the one tun interface though. if you route-to tun8
and reply-to another interface (eg, tun9), then you will be able
to differentiate them based on which tun interface you read them
from.

divert(4) sockets might also work for you depending on what you're
doing. if you're just monitoring packets then there's also dup-to
and bpf/tcpdump.

> --
> 
> I implemented a small C program that reads packets from /dev/tun8 and
> writes them back to the same device. During the writing phase, I have
> attempted to add a 4-byte TUN header (with AF_INET byte). The issue arises
> when I enable pf, as my connectivity ceases to function. I suspect that the
> problem may be linked to the reply-to rule. I can accurately read all
> network packets, but my network connectivity is disrupted when I activate
> pf.
> 
> Are there any thoughts about what I'm doing wrong?

id leave pf enabled and just change rules.

> 
> Thanks!
> 
> Here is a sample from pflog;
> 
> andersen@pc% sudo tcpdump -nettti pflog0
> 
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> 
> listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 246
> bytes
> 
>  00:00:00.000000 rule 6/0(match): pass out on em0: 192.168.1.128.52553 >
> 17.248.173.70.443: Flags [S], seq 1289016582, win 65535, options [mss
> 1460,nop,wscale 6,nop,nop,TS val 1617830816 ecr 0,sackOK,eol], length 0
> 
>  00:00:00.005332 rule 6/0(match): pass out on em0: 192.168.1.128.52569 >
> 17.248.172.107.443: Flags [S], seq 1886843796, win 65535, options [mss
> 1460,nop,wscale 6,nop,nop,TS val 386220006 ecr 0,sackOK,eol], length 0
> 
>  00:00:00.178005 rule 6/0(match): pass out on em0: 192.168.1.128.52554 >
> 17.248.172.208.443: Flags [S], seq 3787270145, win 65535, options [mss
> 1460,nop,wscale 6,nop,nop,TS val 1898437799 ecr 0,sackOK,eol], length 0
> 
>  00:00:00.079092 rule 6/0(match): pass out on em0: 192.168.1.128.52570 >
> 17.248.173.83.443: Flags [S], seq 606598735, win 65535, options [mss
> 1460,nop,wscale 6,nop,nop,TS val 2940552698 ecr 0,sackOK,eol], length 0
> 
>  00:00:00.174093 rule 6/0(match): pass out on em0: 192.168.1.128.52555 >
> 17.248.172.172.443: Flags [S], seq 1449413825, win 65535, options [mss
> 1460,nop,wscale 6,nop,nop,TS val 212268682 ecr 0,sackOK,eol], length 0
> 
>  00:00:00.079048 rule 6/0(match): pass out on em0: 192.168.1.128.52571 >
> 17.248.172.135.443: Flags [S], seq 1322915507, win 65535, options [mss
> 1460,nop,wscale 6,nop,nop,TS val 1857621092 ecr 0,sackOK,eol], length 0
> 
>  00:00:00.251641 rule 6/0(match): pass out on em0: 192.168.1.128.52572 >
> 17.248.173.70.443: Flags [S], seq 4000045446, win 65535, options [mss
> 1460,nop,wscale 6,nop,nop,TS val 2056755864 ecr 0,sackOK,eol], length 0
> 
>  00:00:00.257416 rule 6/0(match): pass out on em0: 192.168.1.128.52573 >
> 17.248.172.208.443: Flags [S], seq 1732485582, win 65535, options [mss
> 1460,nop,wscale 6,nop,nop,TS val 1481034375 ecr 0,sackOK,eol], length 0
> 
>  00:00:00.251107 rule 6/0(match): pass out on em0: 192.168.1.128.52574 >
> 17.248.172.172.443: Flags [S], seq 3829285313, win 65535, options [mss
> 1460,nop,wscale 6,nop,nop,TS val 2878347929 ecr 0,sackOK,eol], length 0
> 
>  00:00:00.013117 rule 6/0(match): pass out on em0: 192.168.1.128.52558 >
> 23.53.168.52.443: Flags [S], seq 4080379298, win 65535, options [mss
> 1460,nop,wscale 6,nop,nop,TS val 2646123787 ecr 0,sackOK,eol], length 0
> 
>  00:00:00.000037 rule 6/0(match): pass out on em0: 192.168.1.128.52557 >
> 23.53.168.52.443: Flags [S], seq 357265796, win 65535, options [mss
> 1460,nop,wscale 6,nop,nop,TS val 4150893962 ecr 0,sackOK,eol], length 0
> 
>  00:00:02.208051 rule 6/0(match): pass out on em0: 192.168.1.128.52567 >
> 17.248.173.13.443: Flags [S], seq 3186783538, win 65535, options [mss
> 1460,nop,wscale 6,nop,nop,TS val 119993039 ecr 0,sackOK,eol], length 0
> 
>  00:00:00.077884 rule 4/0(match): pass in on em0: 192.168.1.1 > 224.0.0.1:
> igmp query v2
> 
>  00:00:00.175705 rule 6/0(match): pass out on em0: 192.168.1.128.52568 >
> 17.248.172.177.443: Flags [S], seq 1856508746, win 65535, options [mss
> 1460,nop,wscale 6,nop,nop,TS val 2360328967 ecr 0,sackOK,eol], length 0
> 
>  00:00:00.255099 rule 6/0(match): pass out on em0: 192.168.1.128.52569 >
> 17.248.172.107.443: Flags [S], seq 1886843796, win 65535, options [mss
> 1460,nop,wscale 6,nop,nop,TS val 386224007 ecr 0,sackOK,eol], length 0
> 
>  00:00:00.256351 rule 6/0(match): pass out on em0: 192.168.1.128.52570 >
> 17.248.173.83.443: Flags [S], seq 606598735, win 65535, options [mss
> 1460,nop,wscale 6,nop,nop,TS val 2940556698 ecr 0,sackOK,eol], length 0
> 
>  00:00:00.182384 rule 6/0(match): pass out on em0: 192.168.1.128.52575 >
> 52.202.88.98.80: Flags [SEW], seq 2536687563, win 65535, options [mss
> 1460,nop,wscale 6,nop,nop,TS val 4076314596 ecr 0,sackOK,eol], length 0
> 
>  00:00:00.072401 rule 6/0(match): pass out on em0: 192.168.1.128.52571 >
> 17.248.172.135.443: Flags [S], seq 1322915507, win 65535, options [mss
> 1460,nop,wscale 6,nop,nop,TS val 1857625093 ecr 0,sackOK,eol], length 0
> 
>  00:00:00.250291 rule 6/0(match): pass out on em0: 192.168.1.128.52572 >
> 17.248.173.70.443: Flags [S], seq 4000045446, win 65535, options [mss
> 1460,nop,wscale 6,nop,nop,TS val 2056759864 ecr 0,sackOK,eol], length 0
> 
>  00:00:00.259099 rule 6/0(match): pass out on em0: 192.168.1.128.52573 >
> 17.248.172.208.443: Flags [S], seq 1732485582, win 65535, options [mss
> 1460,nop,wscale 6,nop,nop,TS val 1481038376 ecr 0,sackOK,eol], length 0
> 
>  00:00:00.067104 rule 6/0(match): pass out on em0: 192.168.1.128.52535 >
> 17.248.173.50.443: Flags [S], seq 1900937235, win 65535, options [mss
> 1460,sackOK,eol], length 0
> 
>  00:00:00.184108 rule 6/0(match): pass out on em0: 192.168.1.128.52574 >
> 17.248.172.172.443: Flags [S], seq 3829285313, win 65535, options [mss
> 1460,nop,wscale 6,nop,nop,TS val 2878351930 ecr 0,sackOK,eol], length 0
> 
>  00:00:00.068105 rule 6/0(match): pass out on em0: 192.168.1.128.52536 >
> 17.248.172.140.443: Flags [S], seq 949915843, win 65535, options [mss
> 1460,sackOK,eol], length 0
> 
>  00:00:00.099102 rule 6/0(match): pass out on em0: 192.168.1.128.52575 >
> 52.202.88.98.80: Flags [S], seq 2536687563, win 65535, options [mss
> 1460,nop,wscale 6,nop,nop,TS val 4076315597 ecr 0,sackOK,eol], length 0
> 
>  00:00:00.156140 rule 6/0(match): pass out on em0: 192.168.1.128.52537 >
> 17.248.173.47.443: Flags [S], seq 4291447773, win 65535, options [mss
> 1460,sackOK,eol], length 0
> 
>  00:00:00.249211 rule 6/0(match): pass out on em0: 192.168.1.128.52538 >
> 17.248.172.143.443: Flags [S], seq 3919897475, win 65535, options [mss
> 1460,sackOK,eol], length 0
> 
>  00:00:00.080060 rule 4/0(match): pass in on em0: 192.168.1.113 >
> 224.0.0.251: igmp v2 report 224.0.0.251
> 
>  00:00:00.000013 rule 4/8(ip-option): pass in on em0: 192.168.1.113 >
> 224.0.0.251: igmp v2 report 224.0.0.251
> 
>  00:00:00.178027 rule 6/0(match): pass out on em0: 192.168.1.128.52539 >
> 17.248.172.145.443: Flags [S], seq 2733256530, win 65535, options [mss
> 1460,sackOK,eol], length 0
> 
>  00:00:00.260088 rule 6/0(match): pass out on em0: 192.168.1.128.52540 >
> 17.248.173.72.443: Flags [S], seq 2510868264, win 65535, options [mss
> 1460,sackOK,eol], length 0
> 
>  00:00:00.077581 rule 6/0(match): pass out on em0: 192.168.1.128.52575 >
> 52.202.88.98.80: Flags [S], seq 2536687563, win 65535, options [mss
> 1460,nop,wscale 6,nop,nop,TS val 4076316598 ecr 0,sackOK,eol], length 0
> 
>  00:00:00.169834 rule 6/0(match): pass out on em0: 192.168.1.128.52541 >
> 17.248.173.17.443: Flags [S], seq 4064197090, win 65535, options [mss
> 1460,sackOK,eol], length 0
> 
>  00:00:00.262106 rule 6/0(match): pass out on em0: 192.168.1.128.52542 >
> 17.248.172.169.443: Flags [S], seq 2004744821, win 65535, options [mss
> 1460,sackOK,eol], length 0
> 
>  00:00:00.569095 rule 6/0(match): pass out on em0: 192.168.1.128.52575 >
> 52.202.88.98.80: Flags [S], seq 2536687563, win 65535, options [mss
> 1460,nop,wscale 6,nop,nop,TS val 4076317599 ecr 0,sackOK,eol], length 0
> 
>  00:00:01.001092 rule 6/0(match): pass out on em0: 192.168.1.128.52575 >
> 52.202.88.98.80: Flags [S], seq 2536687563, win 65535, options [mss
> 1460,nop,wscale 6,nop,nop,TS val 4076318600 ecr 0,sackOK,eol], length 0
> 
>  00:00:01.001015 rule 6/0(match): pass out on em0: 192.168.1.128.52575 >
> 52.202.88.98.80: Flags [S], seq 2536687563, win 65535, options [mss
> 1460,nop,wscale 6,nop,nop,TS val 4076319601 ecr 0,sackOK,eol], length 0
> 
>  00:00:00.210129 rule 6/0(match): pass out on em0: 192.168.1.128 >
> 224.0.0.251: igmp v2 report 224.0.0.251
> 
>  00:00:00.000008 rule 6/8(ip-option): pass out on em0: 192.168.1.128 >
> 224.0.0.251: igmp v2 report 224.0.0.251
> 
>  00:00:01.789845 rule 6/0(match): pass out on em0: 192.168.1.128.52575 >
> 52.202.88.98.80: Flags [S], seq 2536687563, win 65535, options [mss
> 1460,nop,wscale 6,nop,nop,TS val 4076321601 ecr 0,sackOK,eol], length 0
> 
>  00:00:00.049125 rule 6/0(match): pass out on em0: 192.168.1.128.52567 >
> 17.248.173.13.443: Flags [S], seq 3186783538, win 65535, options [mss
> 1460,nop,wscale 6,nop,nop,TS val 120001040 ecr 0,sackOK,eol], length 0
> 
>  00:00:00.253820 rule 6/0(match): pass out on em0: 192.168.1.128.52568 >
> 17.248.172.177.443: Flags [S], seq 1856508746, win 65535, options [mss
> 1460,nop,wscale 6,nop,nop,TS val 2360336968 ecr 0,sackOK,eol], length 0
> 
>  00:00:00.015155 rule 4/0(match): pass in on em0: 192.168.1.113 >
> 239.255.255.250: igmp v2 report 239.255.255.250
> 
>  00:00:00.000008 rule 4/8(ip-option): pass in on em0: 192.168.1.113 >
> 239.255.255.250: igmp v2 report 239.255.255.250
> 
>  00:00:00.239733 rule 6/0(match): pass out on em0: 192.168.1.128.52569 >
> 17.248.172.107.443: Flags [S], seq 1886843796, win 65535, options [mss
> 1460,nop,wscale 6,nop,nop,TS val 386232008 ecr 0,sackOK,eol], length 0
> 
>  00:00:00.256105 rule 6/0(match): pass out on em0: 192.168.1.128.52570 >
> 17.248.173.83.443: Flags [S], seq 606598735, win 65535, options [mss
> 1460,nop,wscale 6,nop,nop,TS val 2940564699 ecr 0,sackOK,eol], length 0
> 
>  00:00:00.254099 rule 6/0(match): pass out on em0: 192.168.1.128.52571 >
> 17.248.172.135.443: Flags [S], seq 1322915507, win 65535, options [mss
> 1460,nop,wscale 6,nop,nop,TS val 1857633093 ecr 0,sackOK,eol], length 0
> 
>  00:00:00.250162 rule 6/0(match): pass out on em0: 192.168.1.128.52572 >
> 17.248.173.70.443: Flags [S], seq 4000045446, win 65535, options [mss
> 1460,nop,wscale 6,nop,nop,TS val 2056767864 ecr 0,sackOK,eol], length 0
> 
>  00:00:00.260080 rule 6/0(match): pass out on em0: 192.168.1.128.52573 >
> 17.248.172.208.443: Flags [S], seq 1732485582, win 65535, options [mss
> 1460,nop,wscale 6,nop,nop,TS val 1481046377 ecr 0,sackOK,eol], length 0
> 
>  00:00:00.250360 rule 6/0(match): pass out on em0: 192.168.1.128.52574 >
> 17.248.172.172.443: Flags [S], seq 3829285313, win 65535, options [mss
> 1460,nop,wscale 6,nop,nop,TS val 2878359931 ecr 0,sackOK,eol], length 0
> 
>  00:00:00.167165 rule 6/0(match): pass out on em0: 192.168.1.128.52544 >
> 104.18.17.94.443: Flags [S], seq 2289584627, win 65535, options [mss
> 1460,sackOK,eol], length 0
> 
>  00:00:00.255769 rule 6/0(match): pass out on em0: 192.168.1.128.52545 >
> 104.18.16.94.443: Flags [S], seq 2611325305, win 65535, options [mss
> 1460,sackOK,eol], length 0

Re: Using pf route-to to Route Network Traffic a tun interface and Replying from it

Reply via email to