Hi All,
Having an issue with anchors and tables again, I had this same issue a
couple of years ago in 4.5 but never got any response, hoping someone can
shed some light onto what I'm missing here, or if this is even supported,
I'm trying to use an overload rule inside of an anchor to populate a table
defined outside of all anchors. I haven't seen anything that specifically
says this isn't supported, but if thats the case I'd like to get it
clarified. Here are snippets of pf.conf that don't work, and one that does,
and an explanation of why I can't just use the one that does work without
side effects.
Thanks in advance,
J
Doesn't work:
##############
#### Tables ###
##############
table <blocked_sites> persist
#####################
#### Blocked Sites ####
#####################
anchor "Blocked_Sites" {
block in quick from <blocked_sites> to any
}
##############
### TEST_IN ###
##############
anchor "TEST_IN" {
pass in log quick on em0 inet proto tcp \
from any to <TEST_IN_dst> \
port { 443 } keep state \
(max 100, source-track rule, max-src-nodes 10, max-src-states 20,
max-src-conn 20, max-src-conn-rate 2/15, overload <blocked_sites> flush)
}
But remove the anchor from the overload rule and it works fine:
###############
#### Tables ####
###############
table <blocked_sites> persist
#####################
#### Blocked Sites ####
#####################
anchor "Blocked_Sites" {
block in quick from <blocked_sites> to any
}
###############
### TEST_IN ###
###############
#anchor "TEST_IN" {
pass in log quick on em0 inet proto tcp \
from any to <TEST_IN_dst> \
port { 443 } keep state \
(max 100, source-track rule, max-src-nodes 10, max-src-states 20,
max-src-conn 20, max-src-conn-rate 2/15, overload <blocked_sites> flush)
#}
This would be simple enough but I want to be able to parse my logs using the
anchor names, this isn't possible using the 2nd method.
The docs say this should just work from everything I can tell, I can "read"
from a global table from within an anchor but am failing to "write" to it
from within an anchor using the overload rule
