Re: choosing outgoing interface based on process uid

[Imre Oolberg]

Hi!

Stuart Henderson wrote:
> On 2010-09-18, Imre Oolberg <i...@auul.pri.ee> wrote:
>   
>> 3. using route-to ($if_ext $if_ext_gw) construct on the pass out rule i
>> can't change the interface the packet it getting out, its already
>> decided, i can only choose the next hop gateway address with-in the
>> network the  $if_ext is in
>>     
>
> not correct, you can change the interface.
>
> pass out to 8.8.8.8 user fred route-to (lo0 127.0.0.1)
>
>   
Right, it actually goes out thru the specified interface, i obviously
did something wrong, doing it or observing the outcome, unfortunately i
dont have the exact line what i used when experimenting any more. 

But still i would like you to comment on a relevant observation
(actually this experimenting was done on amd64 snapshot from around
august 20 but also happens on i386 4.7 although it has many more rules).
I have this setup for testing route-to rules

     ---|--------------------------------------------|----            
        |   em1 192.168.1.195                       _|_   192.168.1.4
       _|_                                         |   |
      |   |                                        |___|
      |___|                                          |    10.0.0.4
        |   default gw: 192.168.10.254
        |   em0  192.168.10.195
      --|-----------------------|----
                               _|_   192.168.10.10
                              |   |  (has a 'route add 10.0.0.0/24
192.168.10.195' static route)
                              |___|

and pf has three rules for two different traffics

# traffic passing thru firewall
pass in quick log on em0 inet proto tcp to 10.0.0.0/24 port 22 route-to
( em1 192.168.1.4 ) tag TEST
pass out quick log on em1 inet tagged TEST nat-to 192.168.1.195

# traffic originating from with-in firewall itself
pass out quick log inet user fred route-to ( em1 192.168.1.4 ) nat-to
192.168.1.195

And the observations are following

1. traffic passes thru all right
2. traffic originating from firewall itself delays first syn packet for
about 6 seconds, then continues normally
3. if 3rd rule is deprived of 'nat-to 192.168.1.195' part, syn packet
gets out instantly i.e. with-out 6 second delay (but this nat-to needs
to be done or it has 192.168.10.195 source address while leaving em1)

I admit that this setup presented here does not practically make much
sense but i tried to extract from my firewall the essential parts
pertaining to my so to say route-to thing.


Imre