Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 8 Sep 2015 10:55:50 -0700
From:      Nick Rogers <ncrogers@gmail.com>
To:        "Derek (freebsd lists)" <482254ac@razorfever.net>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: pf, rdr, & anchors - broken or PEBKAC
Message-ID:  <CAKOb=YbAameHzxZCUzpDZ8-p5kFtS54BGNqTWEzEGJsr3eKqOg@mail.gmail.com>
In-Reply-To: <55EF1ECA.3080508@razorfever.net>
References:  <55EF1ECA.3080508@razorfever.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, Sep 8, 2015 at 10:45 AM, Derek (freebsd lists) <
482254ac@razorfever.net> wrote:

> Hi!
>
> I'm trying to configure a basic layer-3 load balancer (10.2-RELEASE).  I
> initially started down this path with relayd from ports, as it seems to do
> what I need, very succinctly.
>
> What I've stumbled upon - I hope - is me not knowing how to cause rdr
> statements in anchors to be evaluated, although it appears that this
> functionality is currently broken.
>
> Take this contrived, most-trivial example (where 192.168.0.1 is external,
> and 10.2.2.251 is internal):
>
> /etc/pf.conf:
> rdr inet proto tcp from any to 192.168.0.1 port http -> 10.2.2.251
>
> sudo pfctl -Fa -f /etc/pf.conf
>
> *everything works as expected*
>
> Now, this time using anchors:
>
> sudo mv /etc/pf.conf /etc/pf.conf-anchor
>
> /etc/pf.conf:
> anchor testing
>

rdr rules must be in a "rdr-anchor". "anchor" is for filter rules.

load anchor testing from "/etc/pf.conf-anchor"
>
> sudo pfctl -Fa -f /etc/pf.conf
>
> gives TCP RSTs when connecting to port 80.  Additionally
>
> sudo pfctl -a testing -vvs nat:
> @0 rdr inet proto tcp from any to 192.168.0.1 port = http -> 10.2.2.251
>   [ Evaluations: 0         Packets: 0         Bytes: 0  States: 0     ]
>   [ Inserted: uid 0 pid 56764 State Creations: 0     ]
>
>
> So identical rulesets, one loaded as an anchor: never evaluated, the other
> loaded into the main ruleset directly: works fine.
>
> Is this broken, or am I missing something?
>
> Thanks!
> Derek
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAKOb=YbAameHzxZCUzpDZ8-p5kFtS54BGNqTWEzEGJsr3eKqOg>