Toomas Pelberg wrote:
On Tue, 2007-08-14 at 17:13 -0700, Jon Simola wrote:
On 8/14/07, Toomas Pelberg <[EMAIL PROTECTED]> wrote:
pfctl man page says:

-i interface
             Restrict the operation to the given interface.

..what exactly is meant under the word "operation" ?
This would be one of those things that is obvious once you've seen an example
and thought about it for a while.

$sudo pfctl -si |grep -A1 State
State Table                          Total             Rate
  current entries                    34056
$sudo pfctl -i vlan170 -ss |wc -l
    1172

So -i only works in combination with -s ? If so, i think it should be
mentioned
in the man page.

I have not tested this but what happens if you try to load the following rule set with the pfctl -i lo1 -f rules

pass on lo0 all
block on lo1 all

If the output of 'pfctl -srules' shows both rules then the -i flag has no effect on the operation of the -f flag.

Tom


In this case, only show states bound to the vlan170 interface.

My problem: I want to load a different ruleset for each interface
( jails ) and not care about what's in the ruleset as long as it doesn't
affect anything outside the jail ( which is bound to a specific ip on a
seperate interface )
You probably want to look into anchors.

While I can use an anchor to limit to the interface, it's an rather ugly
hack.
Care to show an elegant solution how to anchor unspecified number of
user rules?

I could just as well pass over the supplied ruleset with an perl script
that skips
any rules not starting with pass/block in/out on jail_interface.

pfctl -i & -f combo would've been great for this purpose.

_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to