Hi All,
I need to quickly create a solution for forwarding multicast traffic
between two systems, so I though perhaps I could use pf to do just that
by writing some rules along the lines of:
1. pass in on iface A proto UDP ... tag mcast
2. pass out on iface B tagged mcast
And another pair of rules for the reverse direction B -> A.
(Obviously I'd add more options to filter specific addresses, etc.)
So I tried to do a quick test / proof of concept. Here is the pf.conf:
# cat pf.conf
set skip on lo0
set block-policy return
set debug warning
# Begin by blocking everything
block log all # Begin by blocking everything
pass in log on em0 proto udp from 192.168.178.166 tag UDP
pass out log on ure0 tagged UDP
###match route dup-to ure0 tagged TAG_UP
# Allow all outbound
#pass out log modulate state
The two "pass" lines are the basis of the idea. This seems to be pretty
much identical to the tagging example "INTNET" in the pf.conf man page.
pfctl reports:
# pfctl -vvs rules | grep @
@0 block return log all
@1 pass in log on em0 inet proto udp from 192.168.178.166 to any tag UDP
@2 pass out log on ure0 all flags S/SA tagged UDP
I see that rule 1 is matched, but never rule 2. E.g.
...
May 23 10:32:06.602759 rule 0/(match) block in on em0: 192.168.178.179.5353 >
224.0.0.251.5353: 46[|domain] (DF)
May 23 10:32:06.603963 rule 0/(match) block in on em0:
fe80::4434:8bff:fecd:b116.5353 > ff02::fb.5353: 46[|domain] [flowlabel 0xbaff9]
May 23 10:32:09.700212 rule 0/(match) block in on em0: 192.168.178.254 >
224.0.0.1: igmp query [len 12] (DF) [tos 0xc0] [ttl 1]
May 23 10:32:13.267374 rule 1/(match) pass in on em0: 192.168.178.166.56334 >
192.168.178.11.54321: udp 7
May 23 10:32:20.592971 rule 0/(match) block in on em0: 192.168.178.179.5353 >
224.0.0.251.5353: 16 [3q][|domain] (DF)
May 23 10:32:21.136275 rule 0/(match) block in on em0: 192.168.178.252.5353 >
224.0.0.251.5353: 48084+[|domain]
May 23 10:32:21.137074 rule 0/(match) block in on em0: 192.168.178.252.5353 >
224.0.0.251.5353: 0* [0q] 3/0/3[|domain]
...
May 23 10:32:48.588466 rule 1/(match) pass in on em0: 192.168.178.166.56335 >
192.168.178.11.54321: udp 42
May 23 10:32:49.705282 rule 0/(match) block in on em0: 192.168.178.179.5353 >
224.0.0.251.5353: 0[|domain] (DF)
May 23 10:32:49.705839 rule 0/(match) block in on em0:
fe80::4434:8bff:fecd:b116.5353 > ff02::fb.5353: 0[|domain] [flowlabel 0xbaff9]
...
I must be missing something, but what?
Both interfaces are up and configured with IP addresses.
I'm running the current snapshot i.e. 7.5 GENERIC.MP#77 amd64.
Thanks in advance!
Cheers,
Robb.
