Passthrough IP addresses doesn't work

[Grisambre]

Hi :)

[Using PF 8.1 patched with latest patchs on Debian 8.11 in inline mode, without NAT]

We need machines from the registration VLAN to be able to reach some server on our network before beeing registered. That is done I understand using the "Passthrough" domains from the GUI Configuration/Network/Fencing menu. The server can only be reached using their IP address, no domain names possible.

Unfortunately, it seems that PacketFence is not actualy accepting IP adresses there (only domains for pfdns to work with). So if enter an IP address, for an example 10.0.4.67:377, that will not work (IP not added to the ipset group "pfsession_passthrough").

If I manualy perform an "ipset add pfsession_passthrough 10.0.4.67,tcp/377" that works (my server is acessible from the registration VLAN before registration). However, it is not persistent. Furthermore, if I try to add that to /etc/ipset.conf with the proper "ipset save pfsession_passthrough >/etc/ipset.conf" that doesn't work either after a reboot. If am considering updating the pf/conf/iptables.conf file but am not sure if I'm not going to break anything...

So idealy, I would like the "passthrough" fields in the PacketFence configuration to be able to accept ip addresses instead of only FQDNs.

In the mean time, I would appreciate advices on how to proceed "under the hood" ? Can I adjust pf/conf/iptables.conf safely ?

Thank you very much in advance, and thank you again for your work on this great product !

Best regards, Nicolas

[julsemaan]

Seems like a legit feature