From owner-freebsd-pf@freebsd.org Tue Jan 5 13:42:59 2021 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 28DAA4E52DF for ; Tue, 5 Jan 2021 13:42:59 +0000 (UTC) (envelope-from ddobrev85@gmail.com) Received: from mail-ua1-x92c.google.com (mail-ua1-x92c.google.com [IPv6:2607:f8b0:4864:20::92c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D9DGB345Bz4Tgc for ; Tue, 5 Jan 2021 13:42:58 +0000 (UTC) (envelope-from ddobrev85@gmail.com) Received: by mail-ua1-x92c.google.com with SMTP id k47so10264884uad.1 for ; Tue, 05 Jan 2021 05:42:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=lq8kNiCDH9xktQaIHjMfug7SipdBhqkW4jVyp2U7aZY=; b=sukeu313gHSdRtlPFtQPIq0+3ibv5W6s80IJyhtTHcU/ZHuN+j87jybr0Z+HVsIgpI zX8nTiHhdGSLWEZDSOU9Ri3hOpFaWGRlmOwyMJsBXEi4mMn0ggEWlw2WJT3e8UJrXmoc EjrHeW6NMccsUT9XEhgv9F+yuSfdc7qqxZJaKsbjwYcdwlUgji6GdFtzugRYUTNWaU4O F+UBjdKRT/RmM7M0gsyGWc5BzGM11sHxqo/gNV9WbsRwGg8tO+c4JjO6dcZzvcXcT0dt n5TyxQLIj4WBYWWWx+HX08CLNY/g0h0TmF0+omBl1mPCh40NfAI8Vw5QMkxodGfTwriI Tn5A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=lq8kNiCDH9xktQaIHjMfug7SipdBhqkW4jVyp2U7aZY=; b=QHnBZDRcedUj7NCB5sAmsShmBvSAlAC1sSgVdt0VxzpoXSKe7FGNbytzCbjMklPexa EfU6MHFGlUq8WvOtIiJFropMqRTzVvah1Lt14KLymY+81mkSGKvobJ2U/wf67iqX5K9L ou+nOSode9St/C2jnWOEWRgT+o2gKLMM2c7VxCvfJZcQPB8iVgMRAYLULwVenG0fSzFb DhANTXH82jMEGZYa1ZBxnUQT5gEpTdLg2L8q3eOU6v+moWwGXquJAHAANo9WJqBjbee4 3HNPS90pgxx+/a+JCvWJMzpLsJiJLaDGdN0QNO9cSPLGjlOJjOD8y3veQFMF1wYbrBbN 4vOA== X-Gm-Message-State: AOAM533fnVXsazpWbhg+oyVfgpLsuzMRcatenRgLBhGvyBcoJNL3xQkw z2qxVl37SjDcBBQufFh81bZp9B9wI53VJzGIInB2aY/FZHZTmA== X-Google-Smtp-Source: ABdhPJyrTdA2y2TCnyrKYfcd05b6u1CO1/N730FUggdrHAyYsl5NpEXCx69y1YBX6OyT1Y3wi7hU3CVT4kST6vAgVGU= X-Received: by 2002:ab0:38d:: with SMTP id 13mr48990845uau.7.1609854177021; Tue, 05 Jan 2021 05:42:57 -0800 (PST) MIME-Version: 1.0 From: Dobri Dobrev Date: Tue, 5 Jan 2021 15:42:43 +0200 Message-ID: Subject: PF not keeping counters in a counters-defined table To: freebsd-pf@freebsd.org X-Rspamd-Queue-Id: 4D9DGB345Bz4Tgc X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=sukeu313; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of ddobrev85@gmail.com designates 2607:f8b0:4864:20::92c as permitted sender) smtp.mailfrom=ddobrev85@gmail.com X-Spamd-Result: default: False [-4.00 / 15.00]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; TO_DN_NONE(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RBL_DBL_DONT_QUERY_IPS(0.00)[2607:f8b0:4864:20::92c:from]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[2607:f8b0:4864:20::92c:from:127.0.2.255]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::92c:from]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-pf] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jan 2021 13:42:59 -0000 # ------------------------------------------------------------------------------------------------ # /etc/pf.conf: set timeout tcp.first 45 set timeout tcp.opening 45 set timeout tcp.closing 15 set timeout tcp.finwait 15 set timeout tcp.closed 10 set timeout interval 10 set timeout tcp.established 3600 set timeout src.track 10 set limit table-entries 500000 set limit states 2000000 set limit src-nodes 2000000 set require-order no set block-policy drop set ruleset-optimization basic set skip on lo0 table counters rdr-anchor "ASDFGH" on igb0 proto tcp from to any port 123 load anchor ASDFGH from "/etc/ASDFGH-anchor" # contents of /etc/ASDFGH-anchor: # rdr on igb0 proto tcp from any to 192.168.0.1 port 123 -> 192.168.0.1 port 124 # ------------------------------------------------------------------------------------------------ # ------------------------------------------------------------------------------------------------ # Add the IP in the table: # pfctl -t xyztable -T add 192.168.0.101 Daemon listening on 124, "client" sends traffic to 123 which is redirected to 124 by the rdr-anchor. I send some TCP traffic from 192.168.0.101 to 192.168.0.1 port 123 (and receive responses), however, the table has 0 counters. # ------------------------------------------------------------------------------------------------ # pfctl -t xyztable -T show -vv No ALTQ support in kernel ALTQ related functions disabled 192.168.0.101 Cleared: Mon Jan 4 23:42:55 2021 In/Block: [ Packets: 0 Bytes: 0 ] In/Pass: [ Packets: 0 Bytes: 0 ] Out/Block: [ Packets: 0 Bytes: 0 ] Out/Pass: [ Packets: 0 Bytes: 0 ] From owner-freebsd-pf@freebsd.org Tue Jan 5 18:58:49 2021 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7004D4C6193 for ; Tue, 5 Jan 2021 18:58:49 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D9MGd2mLrz4sjV; Tue, 5 Jan 2021 18:58:49 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.codepro.be", Issuer "R3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 38945172E; Tue, 5 Jan 2021 18:58:49 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id 1BD9A9F19; Tue, 5 Jan 2021 19:58:47 +0100 (CET) From: "Kristof Provost" To: "Dobri Dobrev" Cc: freebsd-pf@freebsd.org Subject: Re: PF not keeping counters in a counters-defined table Date: Tue, 05 Jan 2021 19:58:46 +0100 X-Mailer: MailMate (1.13.2r5673) Message-ID: In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jan 2021 18:58:49 -0000 On 5 Jan 2021, at 14:42, Dobri Dobrev wrote: > # > -----------------------------------------------------------------------= ------------------------- > # /etc/pf.conf: > set timeout tcp.first 45 > set timeout tcp.opening 45 > set timeout tcp.closing 15 > set timeout tcp.finwait 15 > set timeout tcp.closed 10 > set timeout interval 10 > set timeout tcp.established 3600 > set timeout src.track 10 > > set limit table-entries 500000 > set limit states 2000000 > set limit src-nodes 2000000 > set require-order no > set block-policy drop > set ruleset-optimization basic > > set skip on lo0 > > table counters > rdr-anchor "ASDFGH" on igb0 proto tcp from to any port 123 > > load anchor ASDFGH from "/etc/ASDFGH-anchor" > > # contents of /etc/ASDFGH-anchor: > # rdr on igb0 proto tcp from any to 192.168.0.1 port 123 -> = > 192.168.0.1 > port 124 > # Use pflog to confirm, but I=E2=80=99m pretty sure your issue is that you=E2= =80=99re = hitting the rdr rule in the anchor, which doesn=E2=80=99t contain the tab= le = with the counters rather than the anchor rule. Counts are only done on the final matching rule, not on all of the rules = looked at along the way. Regards, Kristof From owner-freebsd-pf@freebsd.org Tue Jan 5 19:35:37 2021 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 39F6C4C733A for ; Tue, 5 Jan 2021 19:35:37 +0000 (UTC) (envelope-from ddobrev85@gmail.com) Received: from mail-vs1-xe2c.google.com (mail-vs1-xe2c.google.com [IPv6:2607:f8b0:4864:20::e2c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D9N547585z3Byt; Tue, 5 Jan 2021 19:35:36 +0000 (UTC) (envelope-from ddobrev85@gmail.com) Received: by mail-vs1-xe2c.google.com with SMTP id h6so546151vsr.6; Tue, 05 Jan 2021 11:35:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=W71FdmKuN1nTBePnnkkhH9gFXcVjx3DnzBLCswaUynQ=; b=XhHRHlmTmVNTxCpGIFWmlEHtMmch4n23qchXepjl7AjrZgHykD3jxGa2oP5vFxKiKU Y3GNF5yaiq52ne6nsBylqLu0SMphHN/NERTXnPk6OWNyPEXH9Wg5dOoM2YhZPTS67nKG ssq6ZYkIFDc4A1+ZYlAhwjXydCHR9kWpwmDvNQknf2SPqZU9q6Ixg5wglJCRXWuFvS5b w4Thj0B4wVheIexQvr0oLVX6jCXUmh90cJSMNM63Dui81Hx4SpEsKetvNSJdhTTCuPhq ao/SnnaLebKePKVGKdAPZai9Wp9hvMmyWihqPCQqHljU/O7tWG4l9hUdW2TGwpHSBWqj XWVA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=W71FdmKuN1nTBePnnkkhH9gFXcVjx3DnzBLCswaUynQ=; b=FYv2nmOWLsDGLlOu+l/J29q/0TWd3AQadAsNjsl+6x6Ml4MX8WFVCfo04XhTdGdLxg GYfFFX+MN/PQGVzWOfxtz8mtypTYvs3d1Xh63TnevUlvRpAHMkyAg5bf0AxhmmwDrxI2 iYP/CTZIMc8XtbFECSD9gJXnYLaWkAEmKhNcBsUPcSmlTjPCiMbLz85fvOY/T5GwvWO3 AWzqEYgXbgHJwzeX1XUb6kMZbOoGBhnySroCSPDgqfIeETpnLlFCFVLs5yInDx2e6wdP MkKTNmN0VLJ8V0mQ6Fpymjq2LDKLIDtWJkN1O8nWpOVSsYnn8TDWXmjszbYk/UUJzujF kGtw== X-Gm-Message-State: AOAM532v6GtXAmcMMDOYY06VUTdETiyq/20MvKh04jI1ilcCGynTS6jx zG2UftfZihWVR0HnScTCkSstjWnKIHokPIDjDYTzCMHD4vPppg== X-Google-Smtp-Source: ABdhPJyP0hIzbIYlJOTpD+9kKDdbeAs7LUXufnQys910pmOaEeLPbWrfHhqeSNFBiqcZckzHp0TWEoICsqblnIAfzyA= X-Received: by 2002:a67:507:: with SMTP id 7mr801081vsf.42.1609875335803; Tue, 05 Jan 2021 11:35:35 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Dobri Dobrev Date: Tue, 5 Jan 2021 21:35:22 +0200 Message-ID: Subject: Re: PF not keeping counters in a counters-defined table To: Kristof Provost Cc: freebsd-pf@freebsd.org X-Rspamd-Queue-Id: 4D9N547585z3Byt X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jan 2021 19:35:37 -0000 You are correct, Kristof. If I place the table in the rdr rule - it starts keeping counters, however, what is the point of having the ability to place a table in a rdr-anchor rule in the first place, if it won't be able to keep counters? I'm doing the following scenario: table counters table persist rdr-anchor "ASDFGH" on igb0 proto tcp from to any port 123 no-rdr on igb0 from any to port 123 rdr-anchor "ASDFGH" on igb0 proto tcp from any to any port 123 load anchor ASDFGH from "/etc/ASDFGH-anchor" # contents of /etc/ASDFGH-anchor: # (tested separately) # rdr on igb0 proto tcp from any to 192.168.0.1 port 123 -> 192.168.0.1 port 124 # no counters # rdr on igb0 proto tcp from to 192.168.0.1 port 123 -> 192.168.0.1 port 124 # counters working So, in this case - how do I keep counters in the without breaking the current "workflow"? If IP 192.168.0.1 is not in and I have on all rdr rules @ the anchor - I won't ever be able to reach 123->192.168.0.1:124 Is there a way? On Tue, Jan 5, 2021 at 8:58 PM Kristof Provost wrote: > On 5 Jan 2021, at 14:42, Dobri Dobrev wrote: > > # > > > -------------------------------------------------------------------------= ----------------------- > > # /etc/pf.conf: > > set timeout tcp.first 45 > > set timeout tcp.opening 45 > > set timeout tcp.closing 15 > > set timeout tcp.finwait 15 > > set timeout tcp.closed 10 > > set timeout interval 10 > > set timeout tcp.established 3600 > > set timeout src.track 10 > > > > set limit table-entries 500000 > > set limit states 2000000 > > set limit src-nodes 2000000 > > set require-order no > > set block-policy drop > > set ruleset-optimization basic > > > > set skip on lo0 > > > > table counters > > rdr-anchor "ASDFGH" on igb0 proto tcp from to any port 123 > > > > load anchor ASDFGH from "/etc/ASDFGH-anchor" > > > > # contents of /etc/ASDFGH-anchor: > > # rdr on igb0 proto tcp from any to 192.168.0.1 port 123 -> > > 192.168.0.1 > > port 124 > > # > Use pflog to confirm, but I=E2=80=99m pretty sure your issue is that you= =E2=80=99re > hitting the rdr rule in the anchor, which doesn=E2=80=99t contain the tab= le > with the counters rather than the anchor rule. > Counts are only done on the final matching rule, not on all of the rules > looked at along the way. > > Regards, > Kristof > From owner-freebsd-pf@freebsd.org Tue Jan 5 19:42:19 2021 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 17EC84C8006 for ; Tue, 5 Jan 2021 19:42:19 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D9NDq0Cwtz3D3B; Tue, 5 Jan 2021 19:42:19 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.codepro.be", Issuer "R3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id D3A611BB2; Tue, 5 Jan 2021 19:42:18 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id 705729C63; Tue, 5 Jan 2021 20:42:17 +0100 (CET) From: "Kristof Provost" To: "Dobri Dobrev" Cc: freebsd-pf@freebsd.org Subject: Re: PF not keeping counters in a counters-defined table Date: Tue, 05 Jan 2021 20:42:16 +0100 X-Mailer: MailMate (1.13.2r5673) Message-ID: <83031927-43B1-4B9F-981E-CD77620DE5E5@FreeBSD.org> In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jan 2021 19:42:19 -0000 On 5 Jan 2021, at 20:35, Dobri Dobrev wrote: > You are correct, Kristof. > > If I place the table in the rdr rule - it starts keeping counters, > however, > what is the point of having the ability to place a table in a > rdr-anchor > rule in the first place, if it won't be able to keep counters? > Tables are not just about counters. They’re about making a rule filter on a whole selection of addresses (or ranges). In this case you’re choosing to filter what traffic may go into the anchor. Maybe consider not filtering on the rdr-anchor rule, but on the rdr rule in the anchor itself? > I'm doing the followi ng scenario: > table counters > table persist > > rdr-anchor "ASDFGH" on igb0 proto tcp from to any port 123 > no-rdr on igb0 from any to port 123 > rdr-anchor "ASDFGH" on igb0 proto tcp from any to any port 123 > > load anchor ASDFGH from "/etc/ASDFGH-anchor" > # contents of /etc/ASDFGH-anchor: > # (tested separately) > # rdr on igb0 proto tcp from any to 192.168.0.1 port 123 -> > 192.168.0.1 > port 124 # no counters > # rdr on igb0 proto tcp from to 192.168.0.1 port 123 -> > 192.168.0.1 port 124 # counters working > > So, in this case - how do I keep counters in the without > breaking the current "workflow"? > If IP 192.168.0.1 is not in and I have on all > rdr > rules @ the anchor - I won't ever be able to reach > 123->192.168.0.1:124 > > Is there a way? I have no idea, and I’m not the best person to talk to about how to configure your firewall. Best regards, Kristof From owner-freebsd-pf@freebsd.org Tue Jan 5 19:49:09 2021 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id CE4734C80D1 for ; Tue, 5 Jan 2021 19:49:09 +0000 (UTC) (envelope-from ddobrev85@gmail.com) Received: from mail-vk1-xa32.google.com (mail-vk1-xa32.google.com [IPv6:2607:f8b0:4864:20::a32]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D9NNj5Gk5z3DHx; Tue, 5 Jan 2021 19:49:09 +0000 (UTC) (envelope-from ddobrev85@gmail.com) Received: by mail-vk1-xa32.google.com with SMTP id d6so245269vkb.13; Tue, 05 Jan 2021 11:49:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Zs673p3xc2xKmK7TK7Uj8G4sGrqOygdDYLpXTtwzZko=; b=CZC7ZuNgv1RGH0q07OMouZIVwoL3aBIPgTwhd8RaVzILEYuPwyk+Yf1ylqDdNToU8P QSGNjMLhAi9QDmuI3e1X0PbsW2bksaNiJ6OkRneyCnvzEmYmWIHtsrXpp5YP2h8OpGDH RhjeRbEXX7hkLrjlr3ThEaZGig86d3DTzO7/76xl++RtwdaUn5bB+R0afFrnxXfjkj5P pimRih7Lh1aFthjJJNIkyAYlKnJdbT9f1aiuSJUx+2dqhqZKauStyVFp5Kd6v7GoRC5Y ZFOLyaNc4zkhUelcnAmiL6EVKRF67cm9angZDHP19Ykl/iTCKrmWb84IOJgga13+bNWU h6VQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Zs673p3xc2xKmK7TK7Uj8G4sGrqOygdDYLpXTtwzZko=; b=ME+r/SjE+EpiBOotO9oEOa0XJ0fp/jQ/j8NZOt5N+sFNEDIykXeuTMdEZNkBrblGNu vZS4N5mEEoDYosQwA/DZ/CQoOS/82OZ3LTzNe6elj3nvkHCQPC8RrZYvEimT4ZBb5I/v mxs5jxOlszefuwdVT3iLcuDCIa3v9kFzqWWiCS5ZyAyYNy6s/qNwomN9fUEnWfhWpn0R N6Re+u3Ovbmyurc7NV4fD7Kfv6kydoU4iVPwaokYDBGm0+eajAH2rvnZFlcVoNqtR+KY B5g38lrwkG1Ahf80WFLfVRrjlxWuF9CUddg81ixXKSTHY9dnO43MjUyb/8LqAsSO0h/L YjHw== X-Gm-Message-State: AOAM5303HXoM3lH8HCAobiMtjli2NAtICTPAlLSgGHncXAyWAcw/45su 4O40n5ckzVpAor4lGVo8wl8sT0S3y2Ri4UR7+EvjdmGzsDU= X-Google-Smtp-Source: ABdhPJxnhJyftoc2NFMPMFm5thdhx8wx1XDrM2qwqQ09gVGuaYOZ22ZmJXHLg5hPAw9Zdm41QxyL5rAQNBmCDzoxKnk= X-Received: by 2002:a1f:9310:: with SMTP id v16mr1082198vkd.25.1609876148476; Tue, 05 Jan 2021 11:49:08 -0800 (PST) MIME-Version: 1.0 References: <83031927-43B1-4B9F-981E-CD77620DE5E5@FreeBSD.org> In-Reply-To: <83031927-43B1-4B9F-981E-CD77620DE5E5@FreeBSD.org> From: Dobri Dobrev Date: Tue, 5 Jan 2021 21:48:55 +0200 Message-ID: Subject: Re: PF not keeping counters in a counters-defined table To: Kristof Provost Cc: freebsd-pf@freebsd.org X-Rspamd-Queue-Id: 4D9NNj5Gk5z3DHx X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jan 2021 19:49:09 -0000 Hopefully someone else will be able to help. On Tue, Jan 5, 2021 at 9:42 PM Kristof Provost wrote: > On 5 Jan 2021, at 20:35, Dobri Dobrev wrote: > > You are correct, Kristof. > > > > If I place the table in the rdr rule - it starts keeping counters, > > however, > > what is the point of having the ability to place a table in a > > rdr-anchor > > rule in the first place, if it won't be able to keep counters? > > > Tables are not just about counters. They=E2=80=99re about making a rule f= ilter > on a whole selection of addresses (or ranges). > In this case you=E2=80=99re choosing to filter what traffic may go into t= he > anchor. > Maybe consider not filtering on the rdr-anchor rule, but on the rdr rule > in the anchor itself? > > > I'm doing the followi ng scenario: > > table counters > > table persist > > > > rdr-anchor "ASDFGH" on igb0 proto tcp from to any port 123 > > no-rdr on igb0 from any to port 123 > > rdr-anchor "ASDFGH" on igb0 proto tcp from any to any port 123 > > > > load anchor ASDFGH from "/etc/ASDFGH-anchor" > > # contents of /etc/ASDFGH-anchor: > > # (tested separately) > > # rdr on igb0 proto tcp from any to 192.168.0.1 port 123 -> > > 192.168.0.1 > > port 124 # no counters > > # rdr on igb0 proto tcp from to 192.168.0.1 port 123 -> > > 192.168.0.1 port 124 # counters working > > > > So, in this case - how do I keep counters in the without > > breaking the current "workflow"? > > If IP 192.168.0.1 is not in and I have on all > > rdr > > rules @ the anchor - I won't ever be able to reach > > 123->192.168.0.1:124 > > > > Is there a way? > > I have no idea, and I=E2=80=99m not the best person to talk to about how = to > configure your firewall. > > Best regards, > Kristof >