Sorry about the delay in replying, i was travelling ...
On Fri, May 24, 2024 at 06:04:25PM +0200, Peter N. M. Hansteen wrote:
> ...
> > May 23 10:32:13.267374 rule 1/(match) pass in on em0: 192.168.178.166.56334
> > > 192.168.178.11.54321: udp 7
> So this last one never leaves, right?
Right.
> what does the gateway's routing table say about how to reach the destination
> network?
Good question. Does it matter what the routing table contains, when I am
explicitly specifying where to send a packet via a pf rule?
In any case, here it is:
mjoelnir:/etc 7.06 15:29:04 # netstat -rnf inet
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 192.168.178.254 UGS 11 12713 - 8 em0
127/8 127.0.0.1 UGRS 0 0 32768 8 lo0
127.0.0.1 127.0.0.1 UHhl 1 2 32768 1 lo0
192.168.168/24 192.168.168.1 UCn 0 0 - 4 ure0
192.168.168.1 14:eb:b6:85:09:08 UHLl 0 0 - 1 ure0
192.168.168.255 192.168.168.1 UHb 0 0 - 1 ure0
192.168.178/24 192.168.178.11 UCn 4 2630 - 4 em0
192.168.178.11 94:c6:91:aa:16:67 UHLl 0 8094 - 1 em0
192.168.178.12 00:d8:61:4f:0d:9a UHLc 0 2588 - 3 em0
192.168.178.13 50:7b:9d:ee:e0:b9 UHLc 1 3077 - 3 em0
192.168.178.250 fc:f5:28:ed:05:e5 UHLc 0 90 - 3 em0
192.168.178.254 44:4e:6d:77:42:68 UHLch 2 25477 - 3 em0
192.168.178.255 192.168.178.11 UHb 0 15 - 1 em0
> also relevant, what is the configuration of the interfaces involved?
# ifconfig em0
em0:
flags=a48843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF6TEMP,AUTOCONF6,AUTOCONF4>
mtu 1492
lladdr 94:c6:91:aa:16:67
index 1 priority 0 llprio 3
groups: egress
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet6 fe80::96c6:91ff:feaa:1667%em0 prefixlen 64 scopeid 0x1
inet 192.168.178.11 netmask 0xffffff00 broadcast 192.168.178.255
# ifconfig ure0
ure0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 14:eb:b6:85:09:08
description: Desc: Testing pf
index 5 priority 0 llprio 3
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
inet 192.168.168.1 netmask 0xffffff00 broadcast 192.168.168.255
Also this was well spotted by Le Zoff:
> Why setting "flags S/SA" on a rule meant for UDP packets?
I guess pf itself added the flags, presumably because I had not
explicitly specified "udp" in my second rule. So here is the same test,
this time with "proto udp":
mjoelnir:/etc 7.06 15:29:19 # cat pf.conf_forwarding_minimal
set skip on lo0
set block-policy return
set debug warning
block log all # Begin by blocking everything
pass in log on em0 proto udp from 192.168.178.0/24 tag UDP
pass out log on ure0 proto udp tagged UDP
mjoelnir:/etc 7.06 15:29:27 # pfctl -nf pf.conf_forwarding_minimal
mjoelnir:/etc 7.06 15:29:38 # pfctl -f pf.conf_forwarding_minimal
mjoelnir:/etc 7.06 15:29:43 # pfctl -vvs rules | grep @
@0 block return log all
@1 pass in log on em0 inet proto udp from 192.168.178.0/24 to any tag UDP
@2 pass out log on ure0 proto udp all tagged UDP
So, no TCP flags any more, but still no packets out on ure0. Tcpdump
shows only this udp test packet coming in on em0:
tcpdump -n -e -ttt -i pflog0
...
Jun 07 15:52:36.462672 rule 1/(match) pass in on em0: 192.168.178.13.54128 >
192.168.178.11.12345: udp 19
...
