From nobody Thu Nov 04 06:26:15 2021 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 84791182907D for ; Thu, 4 Nov 2021 06:26:27 +0000 (UTC) (envelope-from ozkan.kirik@gmail.com) Received: from mail-ua1-x933.google.com (mail-ua1-x933.google.com [IPv6:2607:f8b0:4864:20::933]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HlDDf2rkMz3n1q for ; Thu, 4 Nov 2021 06:26:26 +0000 (UTC) (envelope-from ozkan.kirik@gmail.com) Received: by mail-ua1-x933.google.com with SMTP id i6so8918905uae.6 for ; Wed, 03 Nov 2021 23:26:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=XurHzoOq/9zKnsgqhkrGRtumu7Pj7UoVL6sxG2UWLaA=; b=UQuXNs+OZ0zgX/dQg0iMmzgpfOyCzsukgzDcoDZ2sMnb2cTdQN5MY56loquQXqKlKX V/PZ2c6Q8QWDnhcltJlV2PsV5LV5/8FHnyJnyileqFi6XGFd7p0RGTTc7FG0nUOiArF0 1HngHUlGMwtlpcdaTooxCnFugD2XpnZnmM63Atl48o9o2zEBwvzdm0qe70l+iixdpUVb 3p9LTsGsgcWXsFtVvIBG4JpKNrCz/Ev+2KU/XaOaGKorcMucx8YzK5ZWtKUBGXkGxAS0 cdnN8sMULQr55HCSQ5EQcJI/EHd70lZ4SVnLHgDcXB3it9GIKBMrIYpCQd5CMUJHiYsA T1/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=XurHzoOq/9zKnsgqhkrGRtumu7Pj7UoVL6sxG2UWLaA=; b=mHCGjFrMsILv83/zwMcJE7O+zH6lr7eHF6VOKtvrGZuEvpeFbS/WjxhhwAOgILrUSb /AapayaoeK8ok18+aPDkN6GIDyws9GBLmao+cRM8UTeVLDinO4NRAXl5rRcvIcnHBzYD ZgmispZrf7VoGUG09At4NWVa36wbc8RXCgufgJAmSYjo/Ikv0WI06zWUtbAC/bJBLwPA l7hYBJZkd8A5qXjyG0uOB4Xl07mF/HsfpVbTzTQ+pF0UgdbK7KHacPgCc5gV8hSY4bhl ZQTevsiDn4MH2GvsGHy4LuRBKK1PgXSSTDas+jejsGk/v86IRHlegtdrvGWhJHbyqyT6 6TNQ== X-Gm-Message-State: AOAM532ZJ/of0cViS3jAS0bV8bcouHxiv0SPmJvk5BAVHYY7JBnp4Nni q8rzVx3gAllOmzc3tfXfW7HbQvVDmux8ayAaTmtbQQs7slk= X-Google-Smtp-Source: ABdhPJwujJJ1QkVrmva8HqYWTyOCg46PQpb/eav19mH8xvLIpmB2ut3/lh3fOfCyPEP5gLGLUQfM4PN8cPLYJwqUAB0= X-Received: by 2002:a05:6102:5f2:: with SMTP id w18mr32577489vsf.6.1636007185727; Wed, 03 Nov 2021 23:26:25 -0700 (PDT) List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 From: =?UTF-8?B?w5Z6a2FuIEtJUklL?= Date: Thu, 4 Nov 2021 09:26:15 +0300 Message-ID: Subject: matching receive interface and xmit interface in single rule To: freebsd-pf@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4HlDDf2rkMz3n1q X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=UQuXNs+O; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of ozkankirik@gmail.com designates 2607:f8b0:4864:20::933 as permitted sender) smtp.mailfrom=ozkankirik@gmail.com X-Spamd-Result: default: False [-1.90 / 15.00]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; FROM_HAS_DN(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; TO_DN_NONE(0.00)[]; NEURAL_SPAM_MEDIUM(1.00)[1.000]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000]; MID_RHS_MATCH_FROMTLD(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::933:from]; NEURAL_HAM_SHORT(-0.90)[-0.898]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-ThisMailContainsUnwantedMimeParts: N Hi, I'm looking for a solution to match a traffic received on igb0 and xmit on igb1. According to man page, ipfw(8) supports this syntax: ipfw add deny ip from any to any out recv ed0 xmit ed1 The recv interface can be tested on either incoming or outgoing packets, while the xmit interface can only be tested on outgoing packets. So out is required (and in is invalid) whenever xmit is used. I used an workaround for this requirement: - pass quick in on igb0 all keep state (if-bound) tag rule1_IN_IGB0 - pass quick out on igb1 all tagged rule1_IN_IGB0 keep state (if-bound) But this syntax has disadvantages: - if tags used for NAT, one of the tags will be lost Because of pf has only single tag support. - reading and writing of rules become complicated Is it possible to add support for this feature like ipfw or alternatively is it possible to have a separate tag for nat tag? Have a nice day Regards