Toomas Pelberg wrote:
On Tue, 2007-08-14 at 17:13 -0700, Jon Simola wrote:
On 8/14/07, Toomas Pelberg <[EMAIL PROTECTED]> wrote:
pfctl man page says:
-i interface
Restrict the operation to the given interface.
..what exactly is meant under the word "operation" ?
This would be one of those things that is obvious once you've seen an example
and thought about it for a while.
$sudo pfctl -si |grep -A1 State
State Table Total Rate
current entries 34056
$sudo pfctl -i vlan170 -ss |wc -l
1172
So -i only works in combination with -s ? If so, i think it should be
mentioned
in the man page.
I have not tested this but what happens if you try to load the following
rule set with the pfctl -i lo1 -f rules
pass on lo0 all
block on lo1 all
If the output of 'pfctl -srules' shows both rules then the -i flag has
no effect on the operation of the -f flag.
Tom
In this case, only show states bound to the vlan170 interface.
My problem: I want to load a different ruleset for each interface
( jails ) and not care about what's in the ruleset as long as it doesn't
affect anything outside the jail ( which is bound to a specific ip on a
seperate interface )
You probably want to look into anchors.
While I can use an anchor to limit to the interface, it's an rather ugly
hack.
Care to show an elegant solution how to anchor unspecified number of
user rules?
I could just as well pass over the supplied ruleset with an perl script
that skips
any rules not starting with pass/block in/out on jail_interface.
pfctl -i & -f combo would've been great for this purpose.
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
