Date: Wed, 7 Mar 2007 18:01:51 +0100 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Cc: Frans Haarman <F.Haarman@giessen.nl> Subject: Re: dynamicly adding labels/rules Message-ID: <200703071801.57721.max@love2party.net> In-Reply-To: <2DC959620A73E842969792F5B47FCA01037D4369@dg-exch1.giessen.nl> References: <2DC959620A73E842969792F5B47FCA01037D4369@dg-exch1.giessen.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart2835303.UnZI5EnXx1 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 07 March 2007 11:05, Frans Haarman wrote: > I am also having some troubles with labels, it seems I can't add more > then > one label per anchor rule! > > DEVEL# pfctl -qa tun0-rules -s l > 10.200.2 35 0 0 > > DEVEL# echo 'pass in from any to 10.200.4.0/24 label "10.200.4"' | > pfctl -qa tun0-rules -f - > DEVEL# pfctl -qa tun0-rules -s l > 10.200.4 15 0 0 > > DEVEL# echo 'pass in from any to 10.200.2.0/24 label "10.200.2"' | > pfctl -qa tun0-rules -f - > DEVEL# pfctl -qa tun0-rules -s l > 10.200.2 14 0 0 The problem is that you don't add to the anchor as you seem to belive, you= =20 *replace* the ruleset in the anchor. I think you also want to use=20 the "name/*" syntax to be able to add more than one ruleset to the anchor=20 point. Then you can issue commands like: DEVEL# echo 'pass in from any to 10.200.2.0/24 label "10.200.2"' |=20 pfctl -qa tun0-rules/10.200.2 -f - DEVEL# echo 'pass in from any to 10.200.3.0/24 label "10.200.3"' |=20 pfctl -qa tun0-rules/10.200.3 -f - DEVEL# pfctl -vsA tun0-rules tun0-rules/10.200.2 tun0-rules/10.200.3 DEVEL# pfctl -qa tun0-rules/10.200.2 -s l 10.200.2 14 0 0 DEVEL# pfctl -qa tun0-rules/10.200.3 -s l 10.200.3 14 0 0 > DEVEL# uname -a > FreeBSD DEVEL 6.1-RELEASE FreeBSD 6.1-RELEASE #0: Sun May 7 04:42:56 > UTC 2006 root@opus.cse.buffalo.edu:/usr/obj/usr/src/sys/SMP i386 > > So the label gets overwritten. Is this normal/expected behaviour ? No, the *ruleset* is overwritten. And: Yes, this is expected behavior. =20 Anchors work exactly like the main ruleset. echo "pass all" | pfctl -f- echo "block all" | pfctl -f- pfctl -vsr =2E.. No different from: echo "pass all" | pfctl -a foo -f- echo "block all" | pfctl -a foo -f- pfctl -a foo -vsr =2E.. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart2835303.UnZI5EnXx1 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQBF7vAFXyyEoT62BG0RAoBdAJ9a+W6Y4lXTi39fa9w2wySp/12zrgCfeiMn 7Z0lw3OEAGMDdNDIpeF+jB4= =xiuh -----END PGP SIGNATURE----- --nextPart2835303.UnZI5EnXx1--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200703071801.57721.max>