You are correct, Kristof. If I place the table in the rdr rule - it starts keeping counters, however, what is the point of having the ability to place a table in a rdr-anchor rule in the first place, if it won't be able to keep counters?
I'm doing the following scenario: table <xyztable> counters table <othertable> persist rdr-anchor "ASDFGH" on igb0 proto tcp from <xyztable> to any port 123 no-rdr on igb0 from any to <othertable> port 123 rdr-anchor "ASDFGH" on igb0 proto tcp from any to any port 123 load anchor ASDFGH from "/etc/ASDFGH-anchor" # contents of /etc/ASDFGH-anchor: # (tested separately) # rdr on igb0 proto tcp from any to 192.168.0.1 port 123 -> 192.168.0.1 port 124 # no counters # rdr on igb0 proto tcp from <xyztable> to 192.168.0.1 port 123 -> 192.168.0.1 port 124 # counters working So, in this case - how do I keep counters in the <xyztable> without breaking the current "workflow"? If IP 192.168.0.1 is not in <othertabe> and I have <xyztable> on all rdr rules @ the anchor - I won't ever be able to reach 123->192.168.0.1:124 Is there a way? On Tue, Jan 5, 2021 at 8:58 PM Kristof Provost <k...@freebsd.org> wrote: > On 5 Jan 2021, at 14:42, Dobri Dobrev wrote: > > # > > > ------------------------------------------------------------------------------------------------ > > # /etc/pf.conf: > > set timeout tcp.first 45 > > set timeout tcp.opening 45 > > set timeout tcp.closing 15 > > set timeout tcp.finwait 15 > > set timeout tcp.closed 10 > > set timeout interval 10 > > set timeout tcp.established 3600 > > set timeout src.track 10 > > > > set limit table-entries 500000 > > set limit states 2000000 > > set limit src-nodes 2000000 > > set require-order no > > set block-policy drop > > set ruleset-optimization basic > > > > set skip on lo0 > > > > table <xyztable> counters > > rdr-anchor "ASDFGH" on igb0 proto tcp from <xyztable> to any port 123 > > > > load anchor ASDFGH from "/etc/ASDFGH-anchor" > > > > # contents of /etc/ASDFGH-anchor: > > # rdr on igb0 proto tcp from any to 192.168.0.1 port 123 -> > > 192.168.0.1 > > port 124 > > # > Use pflog to confirm, but I’m pretty sure your issue is that you’re > hitting the rdr rule in the anchor, which doesn’t contain the table > with the counters rather than the anchor rule. > Counts are only done on the final matching rule, not on all of the rules > looked at along the way. > > Regards, > Kristof > _______________________________________________ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
