kern/183198: pf tables not loaded if only used inside anchor

Ole Myhre Tue, 22 Oct 2013 04:20:23 -0700

>Number:         183198
>Category:       kern
>Synopsis:       pf tables not loaded if only used inside anchor
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Oct 22 11:20:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     Ole Myhre
>Release:        10.0-BETA1
>Organization:
>Environment:
FreeBSD fw 10.0-BETA1 FreeBSD 10.0-BETA1 #0 r256420: Sun Oct 13 01:43:07 UTC 
2013     r...@snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64
>Description:
When using tables in pf (either manually created tables or automatic tables 
created from macros/rules), and those tables are only being used inside 
anchors, the tables are not loaded when running "pfctl -f".


This causes some problems if especially if you are using macros for groups of 
addresses, and that group is converted to an automatic table. So the rule 
inside the anchor works when you only have a few addresses in the macro, but if 
you add a few more addresses, the rule would point to a table that's not loaded.

I see the same behavior on 9.1-RELEASE.

Example with manual table:

# cat /etc/pf.conf
table <test> { 10.0.0.1, 10.0.0.2, 10.0.0.3 }

block in

anchor "em0" on em0 {
 pass in from <test>
}
# pfctl -f /etc/pf.conf
# pfctl -sr -a '*'
block drop in all
anchor "em0" on em0 all {
  pass in from <test> to any flags S/SA keep state
}
# pfctl -sT
# pfctl -t test -T show
pfctl: Table does not exist.

# echo "pass in on em0 from <test>" >> /etc/pf.conf
# cat /etc/pf.conf
table <test> { 10.0.0.1, 10.0.0.2, 10.0.0.3 }

block in

anchor "em0" on em0 {
 pass in from <test>
}
pass in on em0 from <test>

# pfctl -f /etc/pf.conf
# pfctl -sT
test
# pfctl -t test -T show
   10.0.0.1
   10.0.0.2
   10.0.0.3


Example with automatic table:

# cat /etc/pf.conf
block in

anchor "em0" on em0 {
 pass in from { 10.10.10.1, 10.10.10.2, 10.10.10.3, 10.10.10.4, 10.10.10.5, 
10.10.10.6 }
}
# pfctl -f /etc/pf.conf
# pfctl -sr -a '*'
block drop in all
anchor "em0" on em0 all {
  pass in inet from <__automatic_13de2d31_0> to any flags S/SA keep state
}
# pfctl -sT
# pfctl -t __automatic_13de2d31_0 -T show
pfctl: Table does not exist.
# echo "pass in on em0 from { 10.10.10.1, 10.10.10.2, 10.10.10.3, 10.10.10.4, 
10.10.10.5, 10.10.10.6 }" >> /etc/pf.conf
# pfctl -f /etc/pf.conf
# pfctl -sr -a '*'
block drop in all
anchor "em0" on em0 all {
  pass in inet from <__automatic_178e79e_1> to any flags S/SA keep state
}
pass in on em0 inet from <__automatic_b3d57307_0> to any flags S/SA keep state
# pfctl -sT
__automatic_b3d57307_0

>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:
_______________________________________________
freebsd-bugs@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"

kern/183198: pf tables not loaded if only used inside anchor

Reply via email to