James,
I can confirm. If a table is created by an anchor with the same name as
an existing table the following error is printed:
pfctl: warning: namespace collision with <BLOCKTEMP> global table.
The anchors table is different from the main pf table.
pfctl -vvs Tables
--a-rhC BLOCKTEMP
Addresses: 12
Cleared: Wed Dec 31 19:00:00 1969
pfctl -a games -vvs Tables
--a-r-C BLOCKTEMP games
Addresses: 0
Cleared: Wed Jun 2 16:40:14 2010
--
Calomel @ https://calomel.org
Open Source Research and Reference
On Wed, Jun 02, 2010 at 04:23:54PM -0400, James Records wrote:
>On Wed, Jun 2, 2010 at 10:48 AM, James Records <james.records gmail.com>wrote:
>
>> Hi All,
>>
>> Having an issue with anchors and tables again, I had this same issue a
>> couple of years ago in 4.5 but never got any response, hoping someone can
>> shed some light onto what I'm missing here, or if this is even supported,
>> I'm trying to use an overload rule inside of an anchor to populate a table
>> defined outside of all anchors. I haven't seen anything that specifically
>> says this isn't supported, but if thats the case I'd like to get it
>> clarified. Here are snippets of pf.conf that don't work, and one that does,
>> and an explanation of why I can't just use the one that does work without
>> side effects.
>>
>> Thanks in advance,
>>
>> J
>>
>>
>>
>> Doesn't work:
>>
>> ##############
>> #### Tables ###
>> ##############
>> table <blocked_sites> persist
>>
>> #####################
>> #### Blocked Sites ####
>> #####################
>> anchor "Blocked_Sites" {
>> block in quick from <blocked_sites> to any
>> }
>>
>> ##############
>> ### TEST_IN ###
>> ##############
>> anchor "TEST_IN" {
>> pass in log quick on em0 inet proto tcp \
>> from any to <TEST_IN_dst> \
>> port { 443 } keep state \
>> (max 100, source-track rule, max-src-nodes 10, max-src-states 20,
>> max-src-conn 20, max-src-conn-rate 2/15, overload <blocked_sites> flush)
>> }
>>
>>
>> But remove the anchor from the overload rule and it works fine:
>>
>> ###############
>> #### Tables ####
>> ###############
>> table <blocked_sites> persist
>>
>> #####################
>> #### Blocked Sites ####
>> #####################
>> anchor "Blocked_Sites" {
>> block in quick from <blocked_sites> to any
>> }
>>
>> ###############
>> ### TEST_IN ###
>> ###############
>> #anchor "TEST_IN" {
>> pass in log quick on em0 inet proto tcp \
>> from any to <TEST_IN_dst> \
>> port { 443 } keep state \
>> (max 100, source-track rule, max-src-nodes 10, max-src-states 20,
>> max-src-conn 20, max-src-conn-rate 2/15, overload <blocked_sites> flush)
>> #}
>>
>> This would be simple enough but I want to be able to parse my logs using
>> the anchor names, this isn't possible using the 2nd method.
>>
>> The docs say this should just work from everything I can tell, I can "read"
>> from a global table from within an anchor but am failing to "write" to it
>> from within an anchor using the overload rule
>>
>
>
>
>Just an update, I've done some more digging, it seems like I'm running into
>an issue where its creating a new table inside the anchor, I'm thinking this
>is just a bug where the table gets created because it doesn't look outside
>of the anchor to see if one already exists, but I just want to get another
>pair of eyes to confirm.
>
>Thanks
>J
>
> pfctl -vvs Tables
>-pa--h- blocked_sites
> Addresses: 0
> Cleared: Wed Jun 2 06:10:20 2010
> References: [ Anchors: 3 Rules: 0 ]
> Evaluations: [ NoMatch: 162 Match: 0 ]
> In/Block: [ Packets: 0 Bytes: 0 ]
> In/Pass: [ Packets: 0 Bytes: 0 ]
> In/XPass: [ Packets: 0 Bytes: 0 ]
> Out/Block: [ Packets: 0 Bytes: 0 ]
> Out/Pass: [ Packets: 0 Bytes: 0 ]
> Out/XPass: [ Packets: 0 Bytes: 0 ]
>
>$ pfctl -a "TEST_IN" -vvs Tables
>--a-r-- blocked_sites TEST_IN
> Addresses: 1
> Cleared: Wed Jun 2 01:55:11 2010
> References: [ Anchors: 0 Rules: 5 ]
> Evaluations: [ NoMatch: 114 Match: 69 ]
> In/Block: [ Packets: 69 Bytes: 6732 ]
> In/Pass: [ Packets: 0 Bytes: 0 ]
> In/XPass: [ Packets: 0 Bytes: 0 ]
> Out/Block: [ Packets: 0 Bytes: 0 ]
> Out/Pass: [ Packets: 0 Bytes: 0 ]
> Out/XPass: [ Packets: 0 Bytes: 0 ]
