Date: Tue, 5 Jan 2021 21:35:22 +0200 From: Dobri Dobrev <ddobrev85@gmail.com> To: Kristof Provost <kp@freebsd.org> Cc: freebsd-pf@freebsd.org Subject: Re: PF not keeping counters in a counters-defined table Message-ID: <CAJHkgnfpYZD2qmMJjE=dQX8xnAGwb0e5mvCyc6Xz2JFD_N2JfQ@mail.gmail.com> In-Reply-To: <DFFD64A3-2B3D-42A5-BFF2-47D6542D6930@FreeBSD.org> References: <CAJHkgnf=0-PMPGRm0-K_rNoKO7w-RHTSVVnLuDNLM7o_G4=eAg@mail.gmail.com> <DFFD64A3-2B3D-42A5-BFF2-47D6542D6930@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
You are correct, Kristof. If I place the table in the rdr rule - it starts keeping counters, however, what is the point of having the ability to place a table in a rdr-anchor rule in the first place, if it won't be able to keep counters? I'm doing the following scenario: table <xyztable> counters table <othertable> persist rdr-anchor "ASDFGH" on igb0 proto tcp from <xyztable> to any port 123 no-rdr on igb0 from any to <othertable> port 123 rdr-anchor "ASDFGH" on igb0 proto tcp from any to any port 123 load anchor ASDFGH from "/etc/ASDFGH-anchor" # contents of /etc/ASDFGH-anchor: # (tested separately) # rdr on igb0 proto tcp from any to 192.168.0.1 port 123 -> 192.168.0.1 port 124 # no counters # rdr on igb0 proto tcp from <xyztable> to 192.168.0.1 port 123 -> 192.168.0.1 port 124 # counters working So, in this case - how do I keep counters in the <xyztable> without breaking the current "workflow"? If IP 192.168.0.1 is not in <othertabe> and I have <xyztable> on all rdr rules @ the anchor - I won't ever be able to reach 123->192.168.0.1:124 Is there a way? On Tue, Jan 5, 2021 at 8:58 PM Kristof Provost <kp@freebsd.org> wrote: > On 5 Jan 2021, at 14:42, Dobri Dobrev wrote: > > # > > > -------------------------------------------------------------------------= ----------------------- > > # /etc/pf.conf: > > set timeout tcp.first 45 > > set timeout tcp.opening 45 > > set timeout tcp.closing 15 > > set timeout tcp.finwait 15 > > set timeout tcp.closed 10 > > set timeout interval 10 > > set timeout tcp.established 3600 > > set timeout src.track 10 > > > > set limit table-entries 500000 > > set limit states 2000000 > > set limit src-nodes 2000000 > > set require-order no > > set block-policy drop > > set ruleset-optimization basic > > > > set skip on lo0 > > > > table <xyztable> counters > > rdr-anchor "ASDFGH" on igb0 proto tcp from <xyztable> to any port 123 > > > > load anchor ASDFGH from "/etc/ASDFGH-anchor" > > > > # contents of /etc/ASDFGH-anchor: > > # rdr on igb0 proto tcp from any to 192.168.0.1 port 123 -> > > 192.168.0.1 > > port 124 > > # > Use pflog to confirm, but I=E2=80=99m pretty sure your issue is that you= =E2=80=99re > hitting the rdr rule in the anchor, which doesn=E2=80=99t contain the tab= le > with the counters rather than the anchor rule. > Counts are only done on the final matching rule, not on all of the rules > looked at along the way. > > Regards, > Kristof >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAJHkgnfpYZD2qmMJjE=dQX8xnAGwb0e5mvCyc6Xz2JFD_N2JfQ>