From owner-freebsd-pf@freebsd.org  Tue Jan  5 19:49:09 2021
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id CE4734C80D1
 for <freebsd-pf@mailman.nyi.freebsd.org>; Tue,  5 Jan 2021 19:49:09 +0000 (UTC)
 (envelope-from ddobrev85@gmail.com)
Received: from mail-vk1-xa32.google.com (mail-vk1-xa32.google.com
 [IPv6:2607:f8b0:4864:20::a32])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4D9NNj5Gk5z3DHx;
 Tue,  5 Jan 2021 19:49:09 +0000 (UTC)
 (envelope-from ddobrev85@gmail.com)
Received: by mail-vk1-xa32.google.com with SMTP id d6so245269vkb.13;
 Tue, 05 Jan 2021 11:49:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=Zs673p3xc2xKmK7TK7Uj8G4sGrqOygdDYLpXTtwzZko=;
 b=CZC7ZuNgv1RGH0q07OMouZIVwoL3aBIPgTwhd8RaVzILEYuPwyk+Yf1ylqDdNToU8P
 QSGNjMLhAi9QDmuI3e1X0PbsW2bksaNiJ6OkRneyCnvzEmYmWIHtsrXpp5YP2h8OpGDH
 RhjeRbEXX7hkLrjlr3ThEaZGig86d3DTzO7/76xl++RtwdaUn5bB+R0afFrnxXfjkj5P
 pimRih7Lh1aFthjJJNIkyAYlKnJdbT9f1aiuSJUx+2dqhqZKauStyVFp5Kd6v7GoRC5Y
 ZFOLyaNc4zkhUelcnAmiL6EVKRF67cm9angZDHP19Ykl/iTCKrmWb84IOJgga13+bNWU
 h6VQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=Zs673p3xc2xKmK7TK7Uj8G4sGrqOygdDYLpXTtwzZko=;
 b=ME+r/SjE+EpiBOotO9oEOa0XJ0fp/jQ/j8NZOt5N+sFNEDIykXeuTMdEZNkBrblGNu
 vZS4N5mEEoDYosQwA/DZ/CQoOS/82OZ3LTzNe6elj3nvkHCQPC8RrZYvEimT4ZBb5I/v
 mxs5jxOlszefuwdVT3iLcuDCIa3v9kFzqWWiCS5ZyAyYNy6s/qNwomN9fUEnWfhWpn0R
 N6Re+u3Ovbmyurc7NV4fD7Kfv6kydoU4iVPwaokYDBGm0+eajAH2rvnZFlcVoNqtR+KY
 B5g38lrwkG1Ahf80WFLfVRrjlxWuF9CUddg81ixXKSTHY9dnO43MjUyb/8LqAsSO0h/L
 YjHw==
X-Gm-Message-State: AOAM5303HXoM3lH8HCAobiMtjli2NAtICTPAlLSgGHncXAyWAcw/45su
 4O40n5ckzVpAor4lGVo8wl8sT0S3y2Ri4UR7+EvjdmGzsDU=
X-Google-Smtp-Source: ABdhPJxnhJyftoc2NFMPMFm5thdhx8wx1XDrM2qwqQ09gVGuaYOZ22ZmJXHLg5hPAw9Zdm41QxyL5rAQNBmCDzoxKnk=
X-Received: by 2002:a1f:9310:: with SMTP id v16mr1082198vkd.25.1609876148476; 
 Tue, 05 Jan 2021 11:49:08 -0800 (PST)
MIME-Version: 1.0
References: <CAJHkgnf=0-PMPGRm0-K_rNoKO7w-RHTSVVnLuDNLM7o_G4=eAg@mail.gmail.com>
 <DFFD64A3-2B3D-42A5-BFF2-47D6542D6930@FreeBSD.org>
 <CAJHkgnfpYZD2qmMJjE=dQX8xnAGwb0e5mvCyc6Xz2JFD_N2JfQ@mail.gmail.com>
 <83031927-43B1-4B9F-981E-CD77620DE5E5@FreeBSD.org>
In-Reply-To: <83031927-43B1-4B9F-981E-CD77620DE5E5@FreeBSD.org>
From: Dobri Dobrev <ddobrev85@gmail.com>
Date: Tue, 5 Jan 2021 21:48:55 +0200
Message-ID: <CAJHkgnfgzci6SBaN5Z=Qp_AuzY=DU09Rb7et5yCqb8351FOjMw@mail.gmail.com>
Subject: Re: PF not keeping counters in a counters-defined table
To: Kristof Provost <kp@freebsd.org>
Cc: freebsd-pf@freebsd.org
X-Rspamd-Queue-Id: 4D9NNj5Gk5z3DHx
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
	none
X-Spamd-Result: default: False [-4.00 / 15.00];
	 REPLY(-4.00)[]
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.34
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jan 2021 19:49:09 -0000

Hopefully someone else will be able to help.

On Tue, Jan 5, 2021 at 9:42 PM Kristof Provost <kp@freebsd.org> wrote:

> On 5 Jan 2021, at 20:35, Dobri Dobrev wrote:
> > You are correct, Kristof.
> >
> > If I place the table in the rdr rule - it starts keeping counters,
> > however,
> > what is the point of having the ability to place a table in a
> > rdr-anchor
> > rule in the first place, if it won't be able to keep counters?
> >
> Tables are not just about counters. They=E2=80=99re about making a rule f=
ilter
> on a whole selection of addresses (or ranges).
> In this case you=E2=80=99re choosing to filter what traffic may go into t=
he
> anchor.
> Maybe consider not filtering on the rdr-anchor rule, but on the rdr rule
> in the anchor itself?
>
> > I'm doing the followi ng scenario:
> > table <xyztable> counters
> > table <othertable> persist
> >
> > rdr-anchor "ASDFGH" on igb0 proto tcp from <xyztable> to any port 123
> > no-rdr on igb0 from any to <othertable> port 123
> > rdr-anchor "ASDFGH" on igb0 proto tcp from any to any port 123
> >
> > load anchor ASDFGH from "/etc/ASDFGH-anchor"
> > # contents of /etc/ASDFGH-anchor:
> > # (tested separately)
> > # rdr on igb0 proto tcp from any to 192.168.0.1 port 123 ->
> > 192.168.0.1
> > port 124 # no counters
> > # rdr on igb0 proto tcp from <xyztable> to 192.168.0.1 port 123 ->
> > 192.168.0.1 port 124 # counters working
> >
> > So, in this case - how do I keep counters in the <xyztable> without
> > breaking the current "workflow"?
> > If IP 192.168.0.1 is not in <othertabe> and I have <xyztable> on all
> > rdr
> > rules @ the anchor - I won't ever be able to reach
> > 123->192.168.0.1:124
> >
> > Is there a way?
>
> I have no idea, and I=E2=80=99m not the best person to talk to about how =
to
> configure your firewall.
>
> Best regards,
> Kristof
>