weird nested anchors behaviour
Roman Bogorodskiy
novel at FreeBSD.org
Tue Nov 27 07:55:56 PST 2007
Hi,
I have a weird problem with pf nested anchors.
(18:31) novel at novel:~ %> sudo pfctl -s Anchors
0001
clients
(18:31) novel at novel:~ %> sudo pfctl -a "clients/test" -f rule
(18:32) novel at novel:~ %> sudo pfctl -s Anchors
0001
clients
test
(18:32) novel at novel:~ %> sudo pfctl -s Anchors -a clients
clients/0001
clients/foobar
clients/test
(18:32) novel at novel:~ %> cat rule
pass in quick on tun0 from 172.22.7.7 to <something> label "st:4:test2 at foo:2:1:foo:in"
pass out quick on tun0 from <something> to 172.22.7.7 label "st:4:test2 at foo:2:1:foo:out"
(18:32) novel at novel:~ %>
Why goes it create global anchor 'test' while it should create just a
nested anchor 'clients/test'? I noticed this happens only if I use
tables in rules for the nested anchor. However it doesn't matter if
these tables are local or global, defined or not, it doesn't make any
difference.
Moreover, I cannot flush anchors created that way (usually "pfctl -a
anchor -F all" removes anchors from the list, but it doesn't happen for
the anchors created that way).
Is it expected behaviour or maybe I'm missing something?
I've tested it on two boxes, both are 6.2-STABLE, one i386 and another
is amd64.
Roman Bogorodskiy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20071127/4c265164/attachment.pgp
More information about the freebsd-pf
mailing list