Nick,
On Tue, Nov 06, 2007 at 02:43:42PM -0700, Nick Golder wrote:
> On 2007-11-06 09:00 +0100, Jeremie Le Hen wrote:
> >
> > Reply-to's are associated with state entries which, in turn, are
> > associated to interface. At least this is what I've understood from my
> > own experience: indeed you have to set a state on both the incoming and
> > outgoing interface to let a packet/stream go through. Moreover,
> > reply-to's are by definition applied on the reverse path, on the same
> > interface as the rule that set it. Considering that pf can only change
> > a packet route *before* it has been routed actually routed by the kernel
> > (correct me if I'm wrong), this means you have to set the reply-yo rule
> > on the output path of the forward packet, so it will be triggered in the
> > input path of the reverse packet.
>
> I can see the state table get updated - the incoming state gets created
> as well as a corresponding outgoing state except the outgoing is create
> for the interface with the default route.
>
> If I change the 'pass in on' rule and remove the 'reply-to', it behaves
> exactly the same. So it seems the 'reply-to' is skipped.
>
> I don't follow what why I would want my 'reply-to' on the output path.
> Reading the docs make it sound like 'reply-to' is used for incoming
> incoming rules and 'route-to' is used for outgoing. An example would
> help.
Ok, let's say we have to handle an Y:
R1 ------- R1 - Router 1 R2 - Router 2
\ S - Server PF - Firewall
PF ------- S
/
R2 -------
Let's say incoming request to S comes from either R1 or R2 and must use
the same return path.
Here is what I would do (dug up from my memory), with OpenBSD 4.2 (which
doesn't require flags and keep state) :
% pass in on $r1_if proto tcp to $s port http tag "okR1"
% pass in on $r2_if proto tcp to $s port http tag "okR2"
% pass out on $s_if reply-to ($r1_if $r1_ip) all tagged "okR1"
% pass out on $s_if reply-to ($r2_if $r2_ip) all tagged "okR2"
Please, let us know if it works.
Regards,
--
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
