From owner-freebsd-pf@FreeBSD.ORG Sun Dec 21 23:48:30 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2979768C for ; Sun, 21 Dec 2014 23:48:30 +0000 (UTC) Received: from krichy.tvnetwork.hu (unknown [IPv6:2a01:be00:0:2::10]) by mx1.freebsd.org (Postfix) with ESMTP id E23E230DB for ; Sun, 21 Dec 2014 23:48:29 +0000 (UTC) Received: by krichy.tvnetwork.hu (Postfix, from userid 1000) id DE1E95BAB; Mon, 22 Dec 2014 00:48:27 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by krichy.tvnetwork.hu (Postfix) with ESMTP id DB3405BAA for ; Mon, 22 Dec 2014 00:48:27 +0100 (CET) Date: Mon, 22 Dec 2014 00:48:27 +0100 (CET) From: krichy@tvnetwork.hu To: freebsd-pf@freebsd.org Subject: Re: nested anchors In-Reply-To: Message-ID: References: User-Agent: Alpine 2.11 (DEB 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Dec 2014 23:48:30 -0000 Dear all, In openbsd, pfctl.c works right. There was a fix for this bug: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sbin/pfctl/pfctl.c?rev=1.300&content-type=text/x-cvsweb-markup I think the relevant diff is: --- pfctl.c.orig 2014-12-22 00:44:54.000000000 +0100 +++ pfctl.c 2014-12-22 00:41:20.000000000 +0100 @@ -1345,7 +1345,7 @@ else snprintf(&path[len], MAXPATHLEN - len, "%s", r->anchor->name); - name = path; + name = r->anchor->name; } else name = r->anchor->path; } else That would be nice if this had been applied. Regards, Kojedzinszky Richard Euronet Magyarorszag Informatika Zrt. On Sun, 21 Dec 2014, krichy@tvnetwork.hu wrote: > Date: Sun, 21 Dec 2014 20:29:06 +0100 (CET) > From: krichy@tvnetwork.hu > To: freebsd-pf@freebsd.org > Subject: nested anchors > > Dear pf devs, > > I found that on FreeBSD 10.1 nested anchors does not work. > > This simple config passes traffic from any to 10.2.1.0/24: > > anchor from any to 10.2.1.0/24 { > pass quick all > block > block log (to pflog1) > } > > > If the inner pass is enclosed in another anchor, then the filter drops > packets: > > anchor from any to 10.2.1.0/24 { > anchor all { > pass quick all > block > } > block log (to pflog1) > } > > That would be very nice to have this working. > > Regards, > > Kojedzinszky Richard > Euronet Magyarorszag Informatika Zrt. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >