PF - pf not loading non-persist tables from main ruleset on
8.3-PRERELEASE
Damien Fleuriot
ml at my.gd
Fri Apr 13 03:36:41 UTC 2012
I've actually tried with the following, minimalist ruleset, and gotten
the same outcome.
Notice I included a rule of each type (nat, rdr, pass, block).
vlan31="vlan31"
vlan95="vlan95"
vlan710="vlan710"
table <tab_regular> { 192.168.1.1 }
table <tab_const> const { 192.168.2.2 }
table <tab_persist> persist { 192.168.3.3 }
set optimization aggressive
set loginterface $vlan95
set state-policy if-bound
set block-policy drop
set require-order yes
scrub in all no-df random-id
nat on $vlan31 inet from $vlan710:network to any -> 192.168.31.108
rdr pass on $vlan710 proto tcp from $vlan710 to any port 21 ->
127.0.0.1 port 8021
pass in quick on $vlan710
pass out
# Dummy load of the ruleset:
# pfctl -nvvvvf pf.conf
vlan31 = "vlan31"
vlan95 = "vlan95"
vlan710 = "vlan710"
table <tab_regular> { 192.168.1.1 }
table <tab_const> const { 192.168.2.2 }
table <tab_persist> persist { 192.168.3.3 }
set optimization aggressive
set loginterface vlan95
set state-policy if-bound
set block-policy drop
set require-order yes
@0 scrub in all no-df random-id fragment reassemble
@1 nat on vlan31 inet from 10.107.10.0/23 to any -> 192.168.31.108
@2 rdr pass on vlan710 inet proto tcp from 10.107.10.252 to any port =
ftp -> 127.0.0.1 port 8021
@3 pass in quick on vlan710 all flags S/SA keep state (if-bound)
@4 pass out all flags S/SA keep state (if-bound)
# After actual load:
# pfctl -sa
TRANSLATION RULES:
nat on vlan31 inet from 10.107.10.0/23 to any -> 192.168.31.108
rdr pass on vlan710 inet proto tcp from 10.107.10.252 to any port =
ftp -> 127.0.0.1 port 8021
FILTER RULES:
scrub in all no-df random-id fragment reassemble
pass in quick on vlan710 all flags S/SA keep state (if-bound)
pass out all flags S/SA keep state (if-bound)
No queue in use
INFO:
Status: Enabled for 0 days 00:00:35 Debug: Urgent
[ snip stats, timeouts and limits ]
TABLES:
tab_persist
Notice how again, PF only loads "persist" tables and not "const" and
regular ones.
uname -a, on amd64:
FreeBSD 8.3-PRERELEASE #0: Wed Apr 11 09:46:20 CEST 2012
I'm going to switch from RELENG_8 to RELENG_8_3 , update sources,
rebuild, and see if that helps.
On 13 April 2012 05:04, Jason Hellenthal <jhellenthal at dataix.net> wrote:
>
> Did you ever post your ruleset and example tables ? I don't think pf
> changed that much between 8.2-RELEASE to 8.3 as it stands now in the
> aspects that would effect this outcome.
>
> I am on 8.3-STABLE and the configuration of rules sounds similiar to
> yours but I am not exhibiting any problems. Rule order is also key here
> so be sure to check that.
>
>
> On Fri, Apr 13, 2012 at 03:39:44AM +0200, Damien Fleuriot wrote:
>> Sending to -pf since nobody in -stable seemed interested.
>>
>> Kindly let me know if I can be of assistance to track down the issue.
>>
>> For the record, a source update against RELENG_8 today (2012/04/12)
>> did not show any updated file regarding PF, so I guess this still is
>> an issue.
>>
>>
>> ---------- Forwarded message ----------
>> From: Damien Fleuriot <ml at my.gd>
>> Date: 12 April 2012 16:08
>> Subject: PF - pf not loading non-persist tables from main ruleset on
>> 8.3-PRERELEASE
>> To: freebsd-stable at freebsd.org
>>
>>
>> Hello list,
>>
>>
>>
>> I installed a box recently and updated it to 8.3-PRERELEASE on 2012/04/11
>>
>>
>> I'm experiencing this extremely weird behavior where PF refuses to
>> load standard and const table definitions from the main ruleset.
>> - persist tables load just fine
>> - normal and const tables inside anchors load just fine
>>
>>
>>
>> Does anyone else have the same problem ?
>>
>> I'll try to update the kernel again, you never know.
>> _______________________________________________
>> freebsd-pf at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>
> --
> ;s =;
More information about the freebsd-pf
mailing list