kern/183198: pf tables not loaded if only used inside anchor

Ole Myhre ole at dataoppdrag.no
Tue Oct 22 11:20:01 UTC 2013 

>Number:         183198
>Category:       kern
>Synopsis:       pf tables not loaded if only used inside anchor
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Oct 22 11:20:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     Ole Myhre
>Release:        10.0-BETA1
>Organization:
>Environment:
FreeBSD fw 10.0-BETA1 FreeBSD 10.0-BETA1 #0 r256420: Sun Oct 13 01:43:07 UTC 2013     root at snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64
>Description:
When using tables in pf (either manually created tables or automatic tables created from macros/rules), and those tables are only being used inside anchors, the tables are not loaded when running "pfctl -f".

This causes some problems if especially if you are using macros for groups of addresses, and that group is converted to an automatic table. So the rule inside the anchor works when you only have a few addresses in the macro, but if you add a few more addresses, the rule would point to a table that's not loaded.

I see the same behavior on 9.1-RELEASE.

Example with manual table:

# cat /etc/pf.conf
table <test> { 10.0.0.1, 10.0.0.2, 10.0.0.3 }

block in

anchor "em0" on em0 {
 pass in from <test>
}
# pfctl -f /etc/pf.conf
# pfctl -sr -a '*'
block drop in all
anchor "em0" on em0 all {
  pass in from <test> to any flags S/SA keep state
}
# pfctl -sT
# pfctl -t test -T show
pfctl: Table does not exist.

# echo "pass in on em0 from <test>" >> /etc/pf.conf
# cat /etc/pf.conf
table <test> { 10.0.0.1, 10.0.0.2, 10.0.0.3 }

block in

anchor "em0" on em0 {
 pass in from <test>
}
pass in on em0 from <test>

# pfctl -f /etc/pf.conf
# pfctl -sT
test
# pfctl -t test -T show
   10.0.0.1
   10.0.0.2
   10.0.0.3


Example with automatic table:

# cat /etc/pf.conf
block in

anchor "em0" on em0 {
 pass in from { 10.10.10.1, 10.10.10.2, 10.10.10.3, 10.10.10.4, 10.10.10.5, 10.10.10.6 }
}
# pfctl -f /etc/pf.conf
# pfctl -sr -a '*'
block drop in all
anchor "em0" on em0 all {
  pass in inet from <__automatic_13de2d31_0> to any flags S/SA keep state
}
# pfctl -sT
# pfctl -t __automatic_13de2d31_0 -T show
pfctl: Table does not exist.
# echo "pass in on em0 from { 10.10.10.1, 10.10.10.2, 10.10.10.3, 10.10.10.4, 10.10.10.5, 10.10.10.6 }" >> /etc/pf.conf
# pfctl -f /etc/pf.conf
# pfctl -sr -a '*'
block drop in all
anchor "em0" on em0 all {
  pass in inet from <__automatic_178e79e_1> to any flags S/SA keep state
}
pass in on em0 inet from <__automatic_b3d57307_0> to any flags S/SA keep state
# pfctl -sT
__automatic_b3d57307_0

>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list