On Tue, 2007-08-14 at 17:13 -0700, Jon Simola wrote: > On 8/14/07, Toomas Pelberg <[EMAIL PROTECTED]> wrote: > > pfctl man page says: > > > > -i interface > > Restrict the operation to the given interface. > > > > ..what exactly is meant under the word "operation" ? > > This would be one of those things that is obvious once you've seen an example > and thought about it for a while. > > $sudo pfctl -si |grep -A1 State > State Table Total Rate > current entries 34056 > $sudo pfctl -i vlan170 -ss |wc -l > 1172
So -i only works in combination with -s ? If so, i think it should be mentioned in the man page. > In this case, only show states bound to the vlan170 interface. > > > My problem: I want to load a different ruleset for each interface > > ( jails ) and not care about what's in the ruleset as long as it doesn't > > affect anything outside the jail ( which is bound to a specific ip on a > > seperate interface ) > > You probably want to look into anchors. While I can use an anchor to limit to the interface, it's an rather ugly hack. Care to show an elegant solution how to anchor unspecified number of user rules? I could just as well pass over the supplied ruleset with an perl script that skips any rules not starting with pass/block in/out on jail_interface. pfctl -i & -f combo would've been great for this purpose. _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
