Dear all,
I am going to set up a ruleset, in which for optimisation purposes I am
going to use anchors with filters. Playing with it ended at, unfortunately
table handling in anchors simply does not work. I am still trying to dig
deep into the source, but I am not sure that I will find the solution. So,
the basic example is here:
---
table <tab> { 10.1.1.1 }
anchor on xn0 {
pass quick from <tab> to any
}
block
---
And unfortunately, while someone might not use tables, the default rule
optimizing code does, and if it generates a table to be used instead of
many similar rules, it simply will not work.
This bug is present in OpenBSD also.
Thanks in advance,
Kojedzinszky Richard
Euronet Magyarorszag Informatika Zrt.
On Mon, 22 Dec 2014, kri...@tvnetwork.hu wrote:
Date: Mon, 22 Dec 2014 00:48:27 +0100 (CET)
From: kri...@tvnetwork.hu
To: freebsd-pf@freebsd.org
Subject: Re: nested anchors
Dear all,
In openbsd, pfctl.c works right. There was a fix for this bug:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sbin/pfctl/pfctl.c?rev=1.300&content-type=text/x-cvsweb-markup
I think the relevant diff is:
--- pfctl.c.orig 2014-12-22 00:44:54.000000000 +0100
+++ pfctl.c 2014-12-22 00:41:20.000000000 +0100
@@ -1345,7 +1345,7 @@
else
snprintf(&path[len], MAXPATHLEN - len,
"%s", r->anchor->name);
- name = path;
+ name = r->anchor->name;
} else
name = r->anchor->path;
} else
That would be nice if this had been applied.
Regards,
Kojedzinszky Richard
Euronet Magyarorszag Informatika Zrt.
On Sun, 21 Dec 2014, kri...@tvnetwork.hu wrote:
Date: Sun, 21 Dec 2014 20:29:06 +0100 (CET)
From: kri...@tvnetwork.hu
To: freebsd-pf@freebsd.org
Subject: nested anchors
Dear pf devs,
I found that on FreeBSD 10.1 nested anchors does not work.
This simple config passes traffic from any to 10.2.1.0/24:
anchor from any to 10.2.1.0/24 {
pass quick all
block
block log (to pflog1)
}
If the inner pass is enclosed in another anchor, then the filter drops
packets:
anchor from any to 10.2.1.0/24 {
anchor all {
pass quick all
block
}
block log (to pflog1)
}
That would be very nice to have this working.
Regards,
Kojedzinszky Richard
Euronet Magyarorszag Informatika Zrt.
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
