Usage of pf(4) with tap(4) and veb(4)

Wed, 24 May 2023 17:12:17 -0700 

Hi,
I'd like confirm I understood how pf works in a mixed veb/vport/tap environment. I'm using OpenBSD 7.3/amd64 (if that matters). 


I have a physical host that runs services (relayd, httpd...) the 
"classical" way and also provides VM using vmd. I have a couple of 
public IPs that are either affected to the host (via vportN) or to some 
VMs (via tapN). I'm doing all the IP filtering on the host's pf (because 
some VMs are Linux and I don't know iptables).


Here's a sum'up of my configuration:
  # cat /etc/hostname.em0
  up
  # cat /etc/hostname.vport0
  rdomain 0
  inet aa.bb.cc.5 255.255.255.0
  !route -n add -inet default aa.bb.cc.1
  up
  # cat /etc/hostname.vport1
  rdomain 1
  inet aa.bb.cc.6 255.255.255.0
  !route -T 1 -n add -inet default aa.bb.cc.1
  up
  # cat /etc/hostname.tap2
  rdomain 2
  up
  # cat /etc/hostname.veb0
  add em0
  add vport0
  add vport1
  add tap2
  up
  # cat /etc/vm.conf
  (...)
  switch "wan"   { interface veb0 }
  (...)
  vm linux {
  (...)
    interface tap2 {
      rdomain 2
      switch "wan"
      # configure enp0s2 with aa.bb.cc.7/24
    }
  (...)

My initial pf configuration looked like:
  block return log
  pass on lo
  pass in on vport0 proto tcp to vport0 port ssh
  pass in on vport1 proto tcp to vport1 port { http, https }
  pass in on tap2   proto tcp to aa.bb.cc.7 port ssh
  pass out


This filters properly on vport0 and vport1. But nothing is filtered on 
tap2: the http service running in the VM is accessible via aa.bb.cc.7.



First question: is it expected that pf doesn't filter inbound traffic on 
a tap interface by default? Or is it specific to the fact that tap2 
belongs to veb0?



After re-reading veb(4), I ran `ifconfig veb0 link1` and could achieve 
the wished filtering by modifying my pf configuration as such:

  block return log
  pass     on lo
  pass     on em0
  pass in  on vport0 proto tcp to vport0     port ssh
  pass in  on vport1 proto tcp to vport1     port { http, https }
  pass out on tap2   proto tcp to aa.bb.cc.7 port ssh
  pass out on vport0
  pass out on vport1
  pass in  on tap2


Second question: is this the proper way to configure veb0 and pf or is 
there a "better" way of doing the filtering?


Thanks for feedback,
Joel C.























					Reply via email to