Date: Tue, 05 Jan 2021 19:58:46 +0100 From: "Kristof Provost" <kp@FreeBSD.org> To: "Dobri Dobrev" <ddobrev85@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: PF not keeping counters in a counters-defined table Message-ID: <DFFD64A3-2B3D-42A5-BFF2-47D6542D6930@FreeBSD.org> In-Reply-To: <CAJHkgnf=0-PMPGRm0-K_rNoKO7w-RHTSVVnLuDNLM7o_G4=eAg@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
On 5 Jan 2021, at 14:42, Dobri Dobrev wrote: > # > ------------------------------------------------------------------------------------------------ > # /etc/pf.conf: > set timeout tcp.first 45 > set timeout tcp.opening 45 > set timeout tcp.closing 15 > set timeout tcp.finwait 15 > set timeout tcp.closed 10 > set timeout interval 10 > set timeout tcp.established 3600 > set timeout src.track 10 > > set limit table-entries 500000 > set limit states 2000000 > set limit src-nodes 2000000 > set require-order no > set block-policy drop > set ruleset-optimization basic > > set skip on lo0 > > table <xyztable> counters > rdr-anchor "ASDFGH" on igb0 proto tcp from <xyztable> to any port 123 > > load anchor ASDFGH from "/etc/ASDFGH-anchor" > > # contents of /etc/ASDFGH-anchor: > # rdr on igb0 proto tcp from any to 192.168.0.1 port 123 -> > 192.168.0.1 > port 124 > # Use pflog to confirm, but I’m pretty sure your issue is that you’re hitting the rdr rule in the anchor, which doesn’t contain the table with the counters rather than the anchor rule. Counts are only done on the final matching rule, not on all of the rules looked at along the way. Regards, Kristofhelp
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DFFD64A3-2B3D-42A5-BFF2-47D6542D6930>