From owner-freebsd-pf@FreeBSD.ORG Wed Aug 15 01:48:36 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9DDD116A419 for ; Wed, 15 Aug 2007 01:48:36 +0000 (UTC) (envelope-from toomas@detalem.cq.hk) Received: from smtp-out.neti.ee (smtp-out.neti.ee [194.126.126.39]) by mx1.freebsd.org (Postfix) with ESMTP id 6130013C45A for ; Wed, 15 Aug 2007 01:48:36 +0000 (UTC) (envelope-from toomas@detalem.cq.hk) X-Virus-Scanned: by amavisd-new-2.4.3 (20060930) (Debian) at neti.ee Received: from Relayhost1.neti.ee (Relayhost1 [88.196.174.141]) by MXR-8.estpak.ee (Postfix) with ESMTP id B428712283D for ; Wed, 15 Aug 2007 04:48:32 +0300 (EEST) From: Toomas Pelberg To: freebsd-pf@freebsd.org In-Reply-To: <8eea04080708141713w2e485fe2t49ff909304561fb5@mail.gmail.com> References: <1187128008.64655.9.camel@detalem.kicks-ass.net> <8eea04080708141713w2e485fe2t49ff909304561fb5@mail.gmail.com> Content-Type: text/plain Date: Wed, 15 Aug 2007 04:48:34 +0300 Message-Id: <1187142514.64859.55.camel@detalem.kicks-ass.net> Mime-Version: 1.0 X-Mailer: Evolution 2.10.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Subject: Re: pfctl -i X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Aug 2007 01:48:36 -0000 On Tue, 2007-08-14 at 17:13 -0700, Jon Simola wrote: > On 8/14/07, Toomas Pelberg wrote: > > pfctl man page says: > > > > -i interface > > Restrict the operation to the given interface. > > > > ..what exactly is meant under the word "operation" ? > > This would be one of those things that is obvious once you've seen an example > and thought about it for a while. > > $sudo pfctl -si |grep -A1 State > State Table Total Rate > current entries 34056 > $sudo pfctl -i vlan170 -ss |wc -l > 1172 So -i only works in combination with -s ? If so, i think it should be mentioned in the man page. > In this case, only show states bound to the vlan170 interface. > > > My problem: I want to load a different ruleset for each interface > > ( jails ) and not care about what's in the ruleset as long as it doesn't > > affect anything outside the jail ( which is bound to a specific ip on a > > seperate interface ) > > You probably want to look into anchors. While I can use an anchor to limit to the interface, it's an rather ugly hack. Care to show an elegant solution how to anchor unspecified number of user rules? I could just as well pass over the supplied ruleset with an perl script that skips any rules not starting with pass/block in/out on jail_interface. pfctl -i & -f combo would've been great for this purpose.