Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 05 Jan 2021 20:42:16 +0100
From:      "Kristof Provost" <kp@FreeBSD.org>
To:        "Dobri Dobrev" <ddobrev85@gmail.com>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: PF not keeping counters in a counters-defined table
Message-ID:  <83031927-43B1-4B9F-981E-CD77620DE5E5@FreeBSD.org>
In-Reply-To: <CAJHkgnfpYZD2qmMJjE=dQX8xnAGwb0e5mvCyc6Xz2JFD_N2JfQ@mail.gmail.com>
References:  <CAJHkgnf=0-PMPGRm0-K_rNoKO7w-RHTSVVnLuDNLM7o_G4=eAg@mail.gmail.com> <DFFD64A3-2B3D-42A5-BFF2-47D6542D6930@FreeBSD.org> <CAJHkgnfpYZD2qmMJjE=dQX8xnAGwb0e5mvCyc6Xz2JFD_N2JfQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 5 Jan 2021, at 20:35, Dobri Dobrev wrote:
> You are correct, Kristof.
>
> If I place the table in the rdr rule - it starts keeping counters, 
> however,
> what is the point of having the ability to place a table in a 
> rdr-anchor
> rule in the first place, if it won't be able to keep counters?
>
Tables are not just about counters. They’re about making a rule filter 
on a whole selection of addresses (or ranges).
In this case you’re choosing to filter what traffic may go into the 
anchor.
Maybe consider not filtering on the rdr-anchor rule, but on the rdr rule 
in the anchor itself?

> I'm doing the followi ng scenario:
> table <xyztable> counters
> table <othertable> persist
>
> rdr-anchor "ASDFGH" on igb0 proto tcp from <xyztable> to any port 123
> no-rdr on igb0 from any to <othertable> port 123
> rdr-anchor "ASDFGH" on igb0 proto tcp from any to any port 123
>
> load anchor ASDFGH from "/etc/ASDFGH-anchor"
> # contents of /etc/ASDFGH-anchor:
> # (tested separately)
> # rdr on igb0 proto tcp from any to 192.168.0.1 port 123 -> 
> 192.168.0.1
> port 124 # no counters
> # rdr on igb0 proto tcp from <xyztable> to 192.168.0.1 port 123 ->
> 192.168.0.1 port 124 # counters working
>
> So, in this case - how do I keep counters in the <xyztable> without
> breaking the current "workflow"?
> If IP 192.168.0.1 is not in <othertabe> and I have <xyztable> on all 
> rdr
> rules @ the anchor - I won't ever be able to reach 
> 123->192.168.0.1:124
>
> Is there a way?

I have no idea, and I’m not the best person to talk to about how to 
configure your firewall.

Best regards,
Kristof

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?83031927-43B1-4B9F-981E-CD77620DE5E5>