259840 – pf: matching both receive and xmit interface in single rule

Bug 259840 - pf: matching both receive and xmit interface in single rule

Summary: pf: matching both receive and xmit interface in single rule

Status:	New

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	12.2-STABLE
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	freebsd-bugs (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-11-15 04:09 UTC by Ozkan KIRIK
Modified:	2021-11-15 04:09 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ozkan KIRIK 2021-11-15 04:09:29 UTC

I'm looking for a solution to match a traffic received on igb0 and xmit on igb1.
According to man page, ipfw(8) supports this syntax:

ipfw add deny ip from any to any out recv ed0 xmit ed1

     The recv interface can be tested on either incoming or outgoing
     packets, while the xmit interface can only be tested on outgoing
     packets.  So out is required (and in is invalid) whenever xmit is
     used.


I used an workaround for this requirement:
- pass quick in on igb0 all keep state (if-bound) tag rule1_IN_IGB0
- pass quick out on igb1 all tagged rule1_IN_IGB0 keep state (if-bound)


But this syntax has disadvantages:
- if tags used for NAT, one of the tags will be lost Because of pf has
only single tag support.
- reading and writing of rules become complicated

Is it possible to add support for this feature like ipfw or
alternatively is it possible to have a separate tag for nat tag?

Regards