Date: Tue, 05 Jan 2021 19:58:46 +0100 From: "Kristof Provost" <kp@FreeBSD.org> To: "Dobri Dobrev" <ddobrev85@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: PF not keeping counters in a counters-defined table Message-ID: <DFFD64A3-2B3D-42A5-BFF2-47D6542D6930@FreeBSD.org> In-Reply-To: <CAJHkgnf=0-PMPGRm0-K_rNoKO7w-RHTSVVnLuDNLM7o_G4=eAg@mail.gmail.com> References: <CAJHkgnf=0-PMPGRm0-K_rNoKO7w-RHTSVVnLuDNLM7o_G4=eAg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5 Jan 2021, at 14:42, Dobri Dobrev wrote: > # > -----------------------------------------------------------------------= ------------------------- > # /etc/pf.conf: > set timeout tcp.first 45 > set timeout tcp.opening 45 > set timeout tcp.closing 15 > set timeout tcp.finwait 15 > set timeout tcp.closed 10 > set timeout interval 10 > set timeout tcp.established 3600 > set timeout src.track 10 > > set limit table-entries 500000 > set limit states 2000000 > set limit src-nodes 2000000 > set require-order no > set block-policy drop > set ruleset-optimization basic > > set skip on lo0 > > table <xyztable> counters > rdr-anchor "ASDFGH" on igb0 proto tcp from <xyztable> to any port 123 > > load anchor ASDFGH from "/etc/ASDFGH-anchor" > > # contents of /etc/ASDFGH-anchor: > # rdr on igb0 proto tcp from any to 192.168.0.1 port 123 -> = > 192.168.0.1 > port 124 > # Use pflog to confirm, but I=E2=80=99m pretty sure your issue is that you=E2= =80=99re = hitting the rdr rule in the anchor, which doesn=E2=80=99t contain the tab= le = with the counters rather than the anchor rule. Counts are only done on the final matching rule, not on all of the rules = looked at along the way. Regards, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DFFD64A3-2B3D-42A5-BFF2-47D6542D6930>