Date: Thu, 25 Dec 2014 21:30:10 +0100 (CET) From: krichy@tvnetwork.hu To: freebsd-pf@freebsd.org Subject: pf anchor issues Message-ID: <alpine.DEB.2.11.1412252121270.14984@krichy.tvnetwork.hu>
next in thread | raw e-mail | index | archive | help
Dear all,
I am going to set up a ruleset, in which for optimisation purposes I am
going to use anchors with filters. Playing with it ended at, unfortunately
table handling in anchors simply does not work. I am still trying to dig
deep into the source, but I am not sure that I will find the solution. So,
the basic example is here:
---
table <tab> { 10.1.1.1 }
anchor on xn0 {
pass quick from <tab> to any
}
block
---
And unfortunately, while someone might not use tables, the default rule
optimizing code does, and if it generates a table to be used instead of
many similar rules, it simply will not work.
This bug is present in OpenBSD also.
Thanks in advance,
Kojedzinszky Richard
Euronet Magyarorszag Informatika Zrt.
On Mon, 22 Dec 2014, krichy@tvnetwork.hu wrote:
> Date: Mon, 22 Dec 2014 00:48:27 +0100 (CET)
> From: krichy@tvnetwork.hu
> To: freebsd-pf@freebsd.org
> Subject: Re: nested anchors
>
> Dear all,
>
> In openbsd, pfctl.c works right. There was a fix for this bug:
> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sbin/pfctl/pfctl.c?rev=1.300&content-type=text/x-cvsweb-markup
>
> I think the relevant diff is:
>
> --- pfctl.c.orig 2014-12-22 00:44:54.000000000 +0100
> +++ pfctl.c 2014-12-22 00:41:20.000000000 +0100
> @@ -1345,7 +1345,7 @@
> else
> snprintf(&path[len], MAXPATHLEN - len,
> "%s", r->anchor->name);
> - name = path;
> + name = r->anchor->name;
> } else
> name = r->anchor->path;
> } else
>
> That would be nice if this had been applied.
>
> Regards,
> Kojedzinszky Richard
> Euronet Magyarorszag Informatika Zrt.
>
> On Sun, 21 Dec 2014, krichy@tvnetwork.hu wrote:
>
>> Date: Sun, 21 Dec 2014 20:29:06 +0100 (CET)
>> From: krichy@tvnetwork.hu
>> To: freebsd-pf@freebsd.org
>> Subject: nested anchors
>>
>> Dear pf devs,
>>
>> I found that on FreeBSD 10.1 nested anchors does not work.
>>
>> This simple config passes traffic from any to 10.2.1.0/24:
>>
>> anchor from any to 10.2.1.0/24 {
>> pass quick all
>> block
>> block log (to pflog1)
>> }
>>
>>
>> If the inner pass is enclosed in another anchor, then the filter drops
>> packets:
>>
>> anchor from any to 10.2.1.0/24 {
>> anchor all {
>> pass quick all
>> block
>> }
>> block log (to pflog1)
>> }
>>
>> That would be very nice to have this working.
>>
>> Regards,
>>
>> Kojedzinszky Richard
>> Euronet Magyarorszag Informatika Zrt.
>> _______________________________________________
>> freebsd-pf@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
>>
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.DEB.2.11.1412252121270.14984>