From owner-freebsd-pf@FreeBSD.ORG Fri Apr 13 03:36:41 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A9831106566C for ; Fri, 13 Apr 2012 03:36:41 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-vb0-f54.google.com (mail-vb0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 5DE328FC0A for ; Fri, 13 Apr 2012 03:36:41 +0000 (UTC) Received: by vbmv11 with SMTP id v11so2568963vbm.13 for ; Thu, 12 Apr 2012 20:36:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=t071Ui6UQ83zX09eEa0wPDp03voztn/u7wHaGZqIMYE=; b=Vg1sV/qxD5R67plkJTb6Y/VY/OqIFCrcu2DlsbLcWN+AlD6pZSyTncnurMYbkOVARm FEl/d18oqRFJXy0mfeqWjuoTh6CEOO8z5kWmMrgOc9DAWyO1nMfgNIs5Tei7+qkit1xQ 4rm+Ejzlgfv/AzNjJHbehBjRjbpjc1+DAZYR/LqBCOCIzOaGNeIdpGnkvzjHKuaMyiQd Abdt4fEH9K11suQkhit4kTX3txPv8mnTA/dSPPQoV+XAjkEUBLjuo7hs39KdgD7rkFnT 2uOpXRjyRDY35tS0ZAaT82u3CkKSEnB2nQAl4mMlrdH6jGozrQfdoRI61WYmZHbyPmpB 3frA== MIME-Version: 1.0 Received: by 10.52.175.231 with SMTP id cd7mr38048vdc.68.1334288200388; Thu, 12 Apr 2012 20:36:40 -0700 (PDT) Received: by 10.52.26.42 with HTTP; Thu, 12 Apr 2012 20:36:40 -0700 (PDT) In-Reply-To: <20120413030455.GA40140@DataIX.net> References: <20120413030455.GA40140@DataIX.net> Date: Fri, 13 Apr 2012 05:36:40 +0200 Message-ID: From: Damien Fleuriot To: Jason Hellenthal Content-Type: text/plain; charset=ISO-8859-1 X-Gm-Message-State: ALoCoQnLo6Si+cv4TkeemLmQhjLn4VRjBpbLbsnj8a12bvbWY2zWi7sNxuI21SfuPsI4+ejkqjRS Cc: freebsd-pf@freebsd.org Subject: Re: PF - pf not loading non-persist tables from main ruleset on 8.3-PRERELEASE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Apr 2012 03:36:41 -0000 I've actually tried with the following, minimalist ruleset, and gotten the same outcome. Notice I included a rule of each type (nat, rdr, pass, block). vlan31="vlan31" vlan95="vlan95" vlan710="vlan710" table { 192.168.1.1 } table const { 192.168.2.2 } table persist { 192.168.3.3 } set optimization aggressive set loginterface $vlan95 set state-policy if-bound set block-policy drop set require-order yes scrub in all no-df random-id nat on $vlan31 inet from $vlan710:network to any -> 192.168.31.108 rdr pass on $vlan710 proto tcp from $vlan710 to any port 21 -> 127.0.0.1 port 8021 pass in quick on $vlan710 pass out # Dummy load of the ruleset: # pfctl -nvvvvf pf.conf vlan31 = "vlan31" vlan95 = "vlan95" vlan710 = "vlan710" table { 192.168.1.1 } table const { 192.168.2.2 } table persist { 192.168.3.3 } set optimization aggressive set loginterface vlan95 set state-policy if-bound set block-policy drop set require-order yes @0 scrub in all no-df random-id fragment reassemble @1 nat on vlan31 inet from 10.107.10.0/23 to any -> 192.168.31.108 @2 rdr pass on vlan710 inet proto tcp from 10.107.10.252 to any port = ftp -> 127.0.0.1 port 8021 @3 pass in quick on vlan710 all flags S/SA keep state (if-bound) @4 pass out all flags S/SA keep state (if-bound) # After actual load: # pfctl -sa TRANSLATION RULES: nat on vlan31 inet from 10.107.10.0/23 to any -> 192.168.31.108 rdr pass on vlan710 inet proto tcp from 10.107.10.252 to any port = ftp -> 127.0.0.1 port 8021 FILTER RULES: scrub in all no-df random-id fragment reassemble pass in quick on vlan710 all flags S/SA keep state (if-bound) pass out all flags S/SA keep state (if-bound) No queue in use INFO: Status: Enabled for 0 days 00:00:35 Debug: Urgent [ snip stats, timeouts and limits ] TABLES: tab_persist Notice how again, PF only loads "persist" tables and not "const" and regular ones. uname -a, on amd64: FreeBSD 8.3-PRERELEASE #0: Wed Apr 11 09:46:20 CEST 2012 I'm going to switch from RELENG_8 to RELENG_8_3 , update sources, rebuild, and see if that helps. On 13 April 2012 05:04, Jason Hellenthal wrote: > > Did you ever post your ruleset and example tables ? I don't think pf > changed that much between 8.2-RELEASE to 8.3 as it stands now in the > aspects that would effect this outcome. > > I am on 8.3-STABLE and the configuration of rules sounds similiar to > yours but I am not exhibiting any problems. Rule order is also key here > so be sure to check that. > > > On Fri, Apr 13, 2012 at 03:39:44AM +0200, Damien Fleuriot wrote: >> Sending to -pf since nobody in -stable seemed interested. >> >> Kindly let me know if I can be of assistance to track down the issue. >> >> For the record, a source update against RELENG_8 today (2012/04/12) >> did not show any updated file regarding PF, so I guess this still is >> an issue. >> >> >> ---------- Forwarded message ---------- >> From: Damien Fleuriot >> Date: 12 April 2012 16:08 >> Subject: PF - pf not loading non-persist tables from main ruleset on >> 8.3-PRERELEASE >> To: freebsd-stable@freebsd.org >> >> >> Hello list, >> >> >> >> I installed a box recently and updated it to 8.3-PRERELEASE on 2012/04/11 >> >> >> I'm experiencing this extremely weird behavior where PF refuses to >> load standard and const table definitions from the main ruleset. >> - persist tables load just fine >> - normal and const tables inside anchors load just fine >> >> >> >> Does anyone else have the same problem ? >> >> I'll try to update the kernel again, you never know. >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > -- > ;s =;