From owner-freebsd-pf@FreeBSD.ORG Sun Dec 21 19:29:16 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0ADFE8B5 for ; Sun, 21 Dec 2014 19:29:16 +0000 (UTC) Received: from krichy.tvnetwork.hu (krichy.tvnetwork.hu [109.61.101.194]) by mx1.freebsd.org (Postfix) with ESMTP id BD7FC392A for ; Sun, 21 Dec 2014 19:29:14 +0000 (UTC) Received: by krichy.tvnetwork.hu (Postfix, from userid 1000) id BF87E5950; Sun, 21 Dec 2014 20:29:06 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by krichy.tvnetwork.hu (Postfix) with ESMTP id B7CA9594F for ; Sun, 21 Dec 2014 20:29:06 +0100 (CET) Date: Sun, 21 Dec 2014 20:29:06 +0100 (CET) From: krichy@tvnetwork.hu To: freebsd-pf@freebsd.org Subject: nested anchors Message-ID: User-Agent: Alpine 2.11 (DEB 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Dec 2014 19:29:16 -0000 Dear pf devs, I found that on FreeBSD 10.1 nested anchors does not work. This simple config passes traffic from any to 10.2.1.0/24: anchor from any to 10.2.1.0/24 { pass quick all block block log (to pflog1) } If the inner pass is enclosed in another anchor, then the filter drops packets: anchor from any to 10.2.1.0/24 { anchor all { pass quick all block } block log (to pflog1) } That would be very nice to have this working. Regards, Kojedzinszky Richard Euronet Magyarorszag Informatika Zrt.