Date: Wed, 18 May 2016 09:24:09 +0200 From: Niklaas Baudet von Gersdorff <stdin@niklaas.eu> To: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org Subject: `echo <something> | pfctl -mf -` overriding instead of modifying Message-ID: <20160518072409.GD99839@box-fra-01.niklaas.eu>
next in thread | raw e-mail | index | archive | help
Note: crossposting in freebsd-questions and freebsd-pf
On a 10.3-RELEASE system, in my `/etc/pf.conf` I have the following lines:
ext_if="vtnet0"
...
rdr-anchor "jails/*" on $ext_if inet to $ext_if
In my `/etc/jail.conf` I have the following lines for some jail:
exec.poststart += "echo 'rdr pass on vtnet0 inet proto { udp tcp } to vtnet0 port domain -> $private_ip4' | pfctl -a 'jails/$name' -f -";
exec.poststart += "echo 'rdr pass on vtnet0 inet6 proto { udp tcp } to vtnet0 port domain -> $private_ip6' | pfctl -a 'jails/$name' -mf -";
Nonetheless, if I start the jail, only the inet6 rules will stay in the
appropriate anchor. The inet rules will be overridden.
Initially, I only used the `-f -` flags for pfctl (instead of `-mf -`) and
realised that making changes to the anchor overrides existing rules. So
I read pfctl(8) where it says
-m Merge in explicitly given options without resetting those
which are omitted. Allows single options to be modified without
disturbing the others:
# echo "set loginterface fxp0" | pfctl -mf -
So I thought that adding `-m` to the rule in the second `exec.poststart`
will include (instead of replace) the rules into the anchor. But this is
not the case. What am I doing wrong? Do I misunderstand `-m`?
Niklaas
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160518072409.GD99839>