tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: npf and ephemeral interfaces (tun0)



In article <CAGN_6pZoxP0EmG7PME9=pQAMrkHbDkmdfoB9VQZpCR-wNLmdww%mail.gmail.com@localhost>,
David Brownlee  <abs%absd.org@localhost> wrote:
>I have a server which needs to run an npf map rule on its OpenVPN
>interface (tun0).
>
>I can create the rule fine, but when the system restarts tnpf rejects
>the rulset because there is no tun0 interface. Am I missing something?
>Is there a way around this?
>
>I have a couple of other systems still using pf to avoid this kind of issue :/
>
>Relevant rule lines:
>
>$vpn_if = inet4(tun0)
>map $vpn_if dynamic $foohost      port 22 <- $foohost port 24

Although you can refer to non-existing interfaces and they will work inspite
of the warnings, I have:

        pass final on ppp0 all
	pass final on ppp1 all
	pass final on ppp2 all

inside my rules without having any ppp interfaces at filter load
time, unfortunately refering to addresses on a non-existing interface
does not work. Having the ability to insert and remove map statements
like this dynamically is a missing feature that also makes UPNP
difficult to implement.

christos



Home | Main Index | Thread Index | Old Index