Re: tagging in NAT rules not working

view
thread

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

[view in full thread]

From: Marco Fretz <mailinglist@...>

To: Chris Smith <obsd_misc@...>

Cc: <misc@...>

Subject: Re: tagging in NAT rules not working

Date: Friday, July 18, 2008 - 8:14 am

Chris Smith wrote:

quoted text> On Wednesday 16 July 2008, Marco Fretz wrote:

>> pf nat rule:

>> nat log on bge0 inet from 172.16.12.128/27 tag natted -> 88.82.xx.xx

>>

>> pf filter rule:

>> pass log quick all flags S/SA keep state tagged natted

>

> FWIW, you no longer need to specify "flags S/SA keep state" as it is the

> default.
Yes, i know. It copied the rules out of "pfctl -sr" and there it is

shown because its added by default...
>

quoted text> It does work here, or my packets would not end up in the proper queues.

> 
the difference i see to your construct is you'r tagging packets which

are already tagged. but anyways my construct should work as well, right?
at the moment i do nat and then a pass:
nat log on bge0 inet from 172.16.12.128/27 tag natted -> 88.82.xx.xx

pass log quick from 172.16.12.128/27
if i add the "tagged natted" to the pass rule the rule does never match...
>> the packed is dropped by my default deny rule (the rule does never

quoted text>> match). i think the packet does not get the tag "natted". any ideas?

>> them same thing with rdr rules is woking fine.

>

>> nat and rdr is done before filtering, right? so if the connection

>> gets natted the tag should be present in the filter section...?

>> (thats what i read in the FAQ)

>

> The FAQ actually states "translation occurs before filtering", which may

> be interpreted differently than "nat and rdr is done before filtering".

>

> This construct is working for me:

> ==========================================================

> nat on $ext_if inet from $voip_if:network tag VOIP_NET_NAT tagged

> VOIP_NET -> ($ext_if)

>

> pass in on $voip_if inet proto { tcp, icmp, udp } all tag VOIP_NET

>

> pass out quick on $ext_if from ($ext_if) tagged VOIP_NET_NAT queue

> voip_out

> ==========================================================

>

> The packet arrives on the internal interface, $voip_if, and gets tagged

> with VOIP_NET, the nat rule tags everything that is tagged VOIP_NET

> with a new tag of VOIP_NET_NAT, then everything tagged VOIP_NET_NAT is

> passed quick out the external interface through the voip_out queue

> (highest priority).

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

tagging in NAT rules not working, Marco Fretz, (Wed Jul 16, 8:27 am)

Re: tagging in NAT rules not working, Chris Smith, (Wed Jul 16, 10:30 am)

Re: tagging in NAT rules not working, Marco Fretz, (Fri Jul 18, 8:14 am)

Re: tagging in NAT rules not working, Chris Smith, (Wed Jul 16, 3:36 pm)

Navigation

Popular discussions


linux-kernel:
Jon Smirl	463 kernel developers missing!
Nigel Cunningham	Re: [PATCH] Remove process freezer from suspend to RAM pathway
Greg KH	Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interface for on access scan...
Jeff Garzik	Re: Linux 2.6.23-rc9 and a heads-up for the 2.6.24 series..
git:

linux-netdev:
Jarek Poplawski	[PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
Gerrit Renker	[PATCH 27/37] dccp: Integration of dynamic feature activation - part 2 (server side)
Linus Torvalds	Re: [GIT]: Networking
Evgeniy Polyakov	Re: [BUG] New Kernel Bugs
openbsd-misc:

Colocation donated by:

Online users

Syndicate