PF pfctl rdr to localhost and bridge

[wiertel]

Hello

I'm trying to setup a transparent Squid proxy on a bridge using PF. It looks like the redirected TCP connection is blocked. But it cannot be blocked because I have "pass" for everything. It's almost like the redirected traffic disapeared.

The rdr rule comes from pf.conf(5) and it works when the system acts as a router instead of bridge.

Rule (a.k.a /tmp/rules):

set skip on lo0
set block-policy return
rdr pass log on fxp0 proto tcp from any to any  port 80 -> 127.0.0.1 port 8080
pass in log
pass out keep state

I've tested the following sequence using live CD FreeBSD-10.3-RELEASE-amd64-mini-memstick and FreeBSD-11.0-RELEASE-amd64-mini-memstick. Both with the same result.

ifconfig bridge create
ifconfig bridge0 addm fxp0 addm em0
ifconfig fxp0 up
ifconfig em0 up
ifconfig bridge0 192.168.26.2
service pf onestart
service pflog onestart
vi /tmp/rules
pfctl -f /tmp/rules
pfctl -e
nc -l 127.0.0.1 8080

The nc receives nothing, and the pfctl -s states shows that the connection is not established

all tcp 127.0.0.1:8080 (8.8.178.110:80) <- 192.168.26.37:1438       CLOSED:SYN_SENT

But the rdr rule matched, the tcpdump -tt -eni pflog0 shows:

1481179615.198895 rule 0..16777216/0(match): rdr in on fxp0: 192.168.26.37.1438 > 127.0.0.1.8080: Flags [\S], seq 1732094875, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 117825669 ecr 0], length 0

What am I missing? PF should not block anything here.
The same rule works without a bridge (system acts as a router instead). And is suggested at http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf.
Slightly modified rule works on a bridge - when the traffic is redirected to other host and still goes to the same output interface.

 

[kunobang]

Hi wiertel! Have you solved this? I am facing the same scenario here. And nothing yet!