From owner-freebsd-bugs@FreeBSD.ORG Tue Oct 22 11:20:01 2013 Return-Path: Delivered-To: freebsd-bugs@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id F3CD7825 for ; Tue, 22 Oct 2013 11:20:00 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id D446B2254 for ; Tue, 22 Oct 2013 11:20:00 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r9MBK0eg069314 for ; Tue, 22 Oct 2013 11:20:00 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r9MBK0k6069303; Tue, 22 Oct 2013 11:20:00 GMT (envelope-from gnats) Resent-Date: Tue, 22 Oct 2013 11:20:00 GMT Resent-Message-Id: <201310221120.r9MBK0k6069303@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Ole Myhre Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id F375575D for ; Tue, 22 Oct 2013 11:15:18 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from oldred.freebsd.org (oldred.freebsd.org [8.8.178.121]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id C76B72201 for ; Tue, 22 Oct 2013 11:15:18 +0000 (UTC) Received: from oldred.freebsd.org ([127.0.1.6]) by oldred.freebsd.org (8.14.5/8.14.7) with ESMTP id r9MBFIAY088406 for ; Tue, 22 Oct 2013 11:15:18 GMT (envelope-from nobody@oldred.freebsd.org) Received: (from nobody@localhost) by oldred.freebsd.org (8.14.5/8.14.5/Submit) id r9MBFIb4088403; Tue, 22 Oct 2013 11:15:18 GMT (envelope-from nobody) Message-Id: <201310221115.r9MBFIb4088403@oldred.freebsd.org> Date: Tue, 22 Oct 2013 11:15:18 GMT From: Ole Myhre To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Subject: kern/183198: pf tables not loaded if only used inside anchor X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Oct 2013 11:20:01 -0000 >Number: 183198 >Category: kern >Synopsis: pf tables not loaded if only used inside anchor >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Oct 22 11:20:00 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Ole Myhre >Release: 10.0-BETA1 >Organization: >Environment: FreeBSD fw 10.0-BETA1 FreeBSD 10.0-BETA1 #0 r256420: Sun Oct 13 01:43:07 UTC 2013 root@snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 >Description: When using tables in pf (either manually created tables or automatic tables created from macros/rules), and those tables are only being used inside anchors, the tables are not loaded when running "pfctl -f". This causes some problems if especially if you are using macros for groups of addresses, and that group is converted to an automatic table. So the rule inside the anchor works when you only have a few addresses in the macro, but if you add a few more addresses, the rule would point to a table that's not loaded. I see the same behavior on 9.1-RELEASE. Example with manual table: # cat /etc/pf.conf table { 10.0.0.1, 10.0.0.2, 10.0.0.3 } block in anchor "em0" on em0 { pass in from } # pfctl -f /etc/pf.conf # pfctl -sr -a '*' block drop in all anchor "em0" on em0 all { pass in from to any flags S/SA keep state } # pfctl -sT # pfctl -t test -T show pfctl: Table does not exist. # echo "pass in on em0 from " >> /etc/pf.conf # cat /etc/pf.conf table { 10.0.0.1, 10.0.0.2, 10.0.0.3 } block in anchor "em0" on em0 { pass in from } pass in on em0 from # pfctl -f /etc/pf.conf # pfctl -sT test # pfctl -t test -T show 10.0.0.1 10.0.0.2 10.0.0.3 Example with automatic table: # cat /etc/pf.conf block in anchor "em0" on em0 { pass in from { 10.10.10.1, 10.10.10.2, 10.10.10.3, 10.10.10.4, 10.10.10.5, 10.10.10.6 } } # pfctl -f /etc/pf.conf # pfctl -sr -a '*' block drop in all anchor "em0" on em0 all { pass in inet from <__automatic_13de2d31_0> to any flags S/SA keep state } # pfctl -sT # pfctl -t __automatic_13de2d31_0 -T show pfctl: Table does not exist. # echo "pass in on em0 from { 10.10.10.1, 10.10.10.2, 10.10.10.3, 10.10.10.4, 10.10.10.5, 10.10.10.6 }" >> /etc/pf.conf # pfctl -f /etc/pf.conf # pfctl -sr -a '*' block drop in all anchor "em0" on em0 all { pass in inet from <__automatic_178e79e_1> to any flags S/SA keep state } pass in on em0 inet from <__automatic_b3d57307_0> to any flags S/SA keep state # pfctl -sT __automatic_b3d57307_0 >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted: