Re: NAT and dynamic addressing

[Henning Brauer <lists-openbsd_(_at_)_bsws_(_dot_)_de>]

On Sat, Jul 13, 2002 at 03:51:52PM -0700, Richard P. Koett wrote:
> > > ... As I understood it, the only difference between
> > > "rdr on $Ext_If proto udp from any to ep1 port domain \
> > >        -> 192.168.1.1 port domain"
> > > and
> > > "rdr on $Ext_If proto udp from any to (ep1) port domain \
> > >       -> 192.168.1.1 port domain"
> > > is that with "ep1" the value is set when the rules are loaded
> > > and with "(ep1)" the value changes when the interface gets
> > > a new address (?)
> > okay. i try to explain it. You did not specify the address family.
> > ep1 most probably has IPv4 and IPv6 addresses. As we don't expand rules to
> > multiple rules in the kernel as we do in userland, the rules must be clear.
> > So, you need to specify the address family, that's all.
> Okay, the need to specify an address family makes perfect sense.
> I guess what I'm finding confusing is this:
> When is a macro specifying "the name of an interface", and when is
> it specifying "the IP address associated with an interface"?

if you use an interface name instead of an IP _without_ (), this is expanded
to the all IPs of this interface of matching address families (IPv4 _and_
IPv6 if you don't specify an address family for the rule, and only the
mathcing one otherwise) at parse time. so, typically:
  pass in on lo0 from any to lo0
expands to
  pass in inet on lo0 from any to 127.0.0.1
  pass in inet6 on lo0 from any to ::1
you can quite nice watch this expansion process by using 
  pfctl -nvf /etc/pf.conf
so actually here one rule is expanded to two rules.
when using () around the interface, the parser doesn't touch it and passes
the interface name down to pf's kernel part, and the interface->IP
translation is done there. of course there are more restrictions in the
kernel and performance is an issue (while pfctl's performance isn't really
one), and thus you have to be more specific, as we do not expand to multiple
IPs/rules there.

> I'm not sure if I'm phrasing this question well, so perhaps an example
> will help (taken from PF.CONF(5)):
> 
> # block and log outgoing packets that don't have our address as source
> block out log quick on $ext_if from ! 157.161.48.183 to any
> 
> I would like to eliminate any hard-coded instances of my external
> address, since I am using DHCP.
> 
> If I replaced the above rule with the following -
> block out log quick on $ext_if inet from ! ($ext_if) to any
> - would this rule work as intended? And if so, would it continue to
> work if my external address changed after I loaded my rules?

yes and yes.

> I realize that with your depth-of-knowledge about pf these questions
> may seem tedious to answer, but since you also write the man pages
> I hope that knowing where newbies get stuck may be helpful to you.

this is indeed a problem.
As developers of this stuff, we are familar with it. we know the internals.
so for us some things are clear while users getting in contact with pf for
the first time may be confused by exactly the same thing.
so, your help (and especially diffs, hint hint hint) for the manpages is 
appreciated.

Greetz

Henning

-- 
http://2suck.net/hhwl.html
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)