From owner-freebsd-pf@FreeBSD.ORG Tue Nov 27 15:55:55 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E424716A46E for ; Tue, 27 Nov 2007 15:55:55 +0000 (UTC) (envelope-from novel@FreeBSD.org) Received: from viefep34-int.chello.at (viefep18-int.chello.at [213.46.255.22]) by mx1.freebsd.org (Postfix) with ESMTP id 218D913C4EF for ; Tue, 27 Nov 2007 15:55:54 +0000 (UTC) (envelope-from novel@FreeBSD.org) Received: from novel.renet.ru ([82.116.33.234]) by viefep23-int.chello.at (InterMail vM.7.08.02.00 201-2186-121-20061213) with ESMTP id <20071127153858.VDZY26761.viefep23-int.chello.at@novel.renet.ru> for ; Tue, 27 Nov 2007 16:38:58 +0100 Date: Tue, 27 Nov 2007 18:41:14 +0300 From: Roman Bogorodskiy To: freebsd-pf@freebsd.org Message-ID: <20071127154114.GA12469@underworld.novel.ru> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Dxnq1zWXvFF0Q93v" Content-Disposition: inline X-PGP: http://people.freebsd.org/~novel/novel.key.asc Subject: weird nested anchors behaviour X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Nov 2007 15:55:56 -0000 --Dxnq1zWXvFF0Q93v Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, I have a weird problem with pf nested anchors. (18:31) novel@novel:~ %> sudo pfctl -s Anchors 0001 clients (18:31) novel@novel:~ %> sudo pfctl -a "clients/test" -f rule (18:32) novel@novel:~ %> sudo pfctl -s Anchors 0001 clients test (18:32) novel@novel:~ %> sudo pfctl -s Anchors -a clients clients/0001 clients/foobar clients/test (18:32) novel@novel:~ %> cat rule=20 pass in quick on tun0 from 172.22.7.7 to label "st:4:test2@foo= :2:1:foo:in" pass out quick on tun0 from to 172.22.7.7 label "st:4:test2@foo= :2:1:foo:out" (18:32) novel@novel:~ %> Why goes it create global anchor 'test' while it should create just a nested anchor 'clients/test'? I noticed this happens only if I use tables in rules for the nested anchor. However it doesn't matter if these tables are local or global, defined or not, it doesn't make any difference. Moreover, I cannot flush anchors created that way (usually "pfctl -a anchor -F all" removes anchors from the list, but it doesn't happen for the anchors created that way). Is it expected behaviour or maybe I'm missing something? I've tested it on two boxes, both are 6.2-STABLE, one i386 and another is amd64. Roman Bogorodskiy --Dxnq1zWXvFF0Q93v Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iQCVAwUBR0w6loB0WzgdqspGAQKxygQAheCwYdaREX1sa7twieNGT8FCit46aguF CeqRXAaEGUVuJZ1XXW8gznWJ+t7bqXuEmEiWSAirMB6VocHWB+77Ii5Q/Hzz6+e6 EN8pDsh4ERpw66DTyrYV4mG2yvAqJ/kVnsePvsxFKVDuTZX7Uie6+sxv8+67fHVd MkngJhya/cg= =QDJF -----END PGP SIGNATURE----- --Dxnq1zWXvFF0Q93v--