From owner-freebsd-pf@freebsd.org Thu May 26 19:50:55 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 372A0B4B4A2 for ; Thu, 26 May 2016 19:50:55 +0000 (UTC) (envelope-from stdin@niklaas.eu) Received: from box-fra-01.niklaas.eu (box-fra-01.niklaas.eu [46.165.253.68]) by mx1.freebsd.org (Postfix) with ESMTP id EE3321E3F for ; Thu, 26 May 2016 19:50:54 +0000 (UTC) (envelope-from stdin@niklaas.eu) Received: by box-fra-01.niklaas.eu (Postfix, from userid 1001) id 3F70D61FED; Thu, 26 May 2016 21:50:52 +0200 (CEST) Date: Thu, 26 May 2016 21:50:52 +0200 From: Niklaas Baudet von Gersdorff To: freebsd-pf@freebsd.org Subject: Re: `echo | pfctl -mf -` overriding instead of modifying Message-ID: <20160526195052.GI49239@box-fra-01.niklaas.eu> Mail-Followup-To: freebsd-pf@freebsd.org References: <20160518072409.GD99839@box-fra-01.niklaas.eu> <20160526114645.GB49239@box-fra-01.niklaas.eu> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="VkVuOCYP9O7H3CXI" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 May 2016 19:50:55 -0000 --VkVuOCYP9O7H3CXI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Max [2016-05-26 15:28 +0300] : > Can you try something like > exec.poststart =3D "/bin/sh /path/to/pf-config.sh $name $private_ip4=20 > $private_ip6" >=20 > where pf-config.sh contains > #!/bin/sh > echo "rdr pass on vtnet0 inet proto { udp tcp } to vtnet0 port domain=20 > -> $2 > rdr pass on vtnet0 inet6 proto { udp tcp } to vtnet0 port domain -> =20 > $3" | pfctl -a "jails/$1" -Nf - Thanks a lot for your input. I guess that would work but I managed to solve it the following way: exec.poststart +=3D "echo 'rdr pass on vtnet0 inet6 proto { udp tcp } t= o vtnet0 port domain -> $private_ip6' | pfctl -a 'jails/$name-ipv6' -f -"; exec.poststart +=3D "echo 'rdr pass on vtnet0 inet proto { udp tcp } t= o vtnet0 port domain -> $private_ip4' | pfctl -a 'jails/$name-ipv4' -f -"; exec.poststop +=3D "pfctl -a jails/$name-ipv6 -F all"; exec.poststop +=3D "pfctl -a jails/$name-ipv4 -F all"; The trick is to use two anchors. This way no rules are replaced and both stay active. Niklaas --VkVuOCYP9O7H3CXI Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXR1OcAAoJEG2fODeJrIU/oogP/jbiuw9NW6mN6Xpvn/JT0n7v fieynKqfLElR5JlmFJX9NWmNZfXTNuSlkkvw5SxuZsqQLAxNuOLKTU6bZK6z6JWr 4tPEz4i7bgDagbffjY5BsYvnwFGAHfkhhMvMSLoCLXrC8GminmxC7BZig93A79GA TAaEptNvmvsmKAiKrGtSNMvRXE31gyMFx51Bfzzq5nRlMQT5SuNpY336eVd2tyz1 1FkpYiyDmKdV2nVrPHUpZgMzZ5V+fA3iUnqsVDN3xN4lPKD+z+tpDkJtF7Pbk5zE UXiTXCTLsNkkOsR5E5Oj3JtapEJLLzOCrHZTUBGn3eLiXJmpijM78Z1wB7UdXymw tbyyWH6Ja5NRFxGfrI6uK/7AGxmdTg8O6viA5KzzdAmL9tUCRkH1rbrQ1LL8zXps PWyMrukZhr+cX5RJmhV+pd8Xjy7P4eDAn8LbT8Kzl2Z07syYklvfibYZ/kso8ZAI Xgeh3sQROBwkC6fw4xuw2fF/ChCmszEO9TI3U12H6eveDSX98QB3poyUJ+GBymir 648tPmVvCi1biRBBLTeJxQua4NUtOkm7x7F8rZYM6ApsLoDhJCr+o4NDlc2wEl8Y QnbhCz4IAaHoNoprO57rt7D2qjjVSLGvBfEEBPpAuNrMkI2nVKsmwAYzPfKkS1xa 2LaiyeX7MMMj93XwY7Kv =ORDN -----END PGP SIGNATURE----- --VkVuOCYP9O7H3CXI--