From owner-freebsd-pf@FreeBSD.ORG  Sat Dec 27 13:59:42 2014
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 388F64EC
 for <freebsd-pf@freebsd.org>; Sat, 27 Dec 2014 13:59:42 +0000 (UTC)
Received: from krichy.tvnetwork.hu (krichy.tvnetwork.hu [109.61.101.194])
 by mx1.freebsd.org (Postfix) with ESMTP id E8A2F662C5
 for <freebsd-pf@freebsd.org>; Sat, 27 Dec 2014 13:59:41 +0000 (UTC)
Received: by krichy.tvnetwork.hu (Postfix, from userid 1000)
 id DC6748E39; Sat, 27 Dec 2014 14:59:33 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
 by krichy.tvnetwork.hu (Postfix) with ESMTP id D14EE8E38;
 Sat, 27 Dec 2014 14:59:33 +0100 (CET)
Date: Sat, 27 Dec 2014 14:59:33 +0100 (CET)
From: krichy@tvnetwork.hu
To: Ari Suutari <ari@stonepile.fi>
Subject: Re: pf anchor issues
In-Reply-To: <0AE89464-852A-412A-97F8-CE40AF447E18@stonepile.fi>
Message-ID: <alpine.DEB.2.11.1412271458120.26926@krichy.tvnetwork.hu>
References: <alpine.DEB.2.11.1412252121270.14984@krichy.tvnetwork.hu>
 <0AE89464-852A-412A-97F8-CE40AF447E18@stonepile.fi>
User-Agent: Alpine 2.11 (DEB 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8BIT
X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1
Cc: freebsd-pf@freebsd.org
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Dec 2014 13:59:42 -0000

Dear Ari,

Thanks for your reply. The problem is that the optimizer does not create 
persistent tables, so when multiple rules get combined into one with 
tables, they will simply not work.

Regards,


Kojedzinszky Richard
Euronet Magyarorszag Informatika Zrt.

On Sat, 27 Dec 2014, Ari Suutari wrote:

> Date: Sat, 27 Dec 2014 12:22:51 +0200
> From: Ari Suutari <ari@stonepile.fi>
> To: krichy@tvnetwork.hu
> Cc: freebsd-pf@freebsd.org
> Subject: Re: pf anchor issues
> 
> Hi,
>
>> On 25 Dec 2014, at 22:30 , krichy@tvnetwork.hu wrote:
>> I am going to set up a ruleset, in which for optimisation purposes I am going to use anchors with filters. Playing with it ended at, unfortunately table handling in anchors simply does not work. I am still trying to dig deep into the source, but I am not sure that I will find the solution. So, the basic example is here:
>>
>> ---
>> table <tab> { 10.1.1.1 }
>>
>> anchor on xn0 {
>> 	pass quick from <tab> to any
>> }
>>
>
> You must add “persist” keyword to table, like
> this:
>
> table <tab> persist { 10.1.1.1 }
>
> I’m using tables inside anchors in two firewalls like this and it works ok.
>
>    Ari S.
>
>