pf anchor issues

krichy at tvnetwork.hu krichy at tvnetwork.hu
Thu Dec 25 20:30:20 UTC 2014 

Dear all,

I am going to set up a ruleset, in which for optimisation purposes I am 
going to use anchors with filters. Playing with it ended at, unfortunately 
table handling in anchors simply does not work. I am still trying to dig 
deep into the source, but I am not sure that I will find the solution. So, 
the basic example is here:

---
table <tab> { 10.1.1.1 }

anchor on xn0 {
 	pass quick from <tab> to any
}

block
---


And unfortunately, while someone might not use tables, the default rule 
optimizing code does, and if it generates a table to be used instead of 
many similar rules, it simply will not work.

This bug is present in OpenBSD also.

Thanks in advance,

Kojedzinszky Richard
Euronet Magyarorszag Informatika Zrt.

On Mon, 22 Dec 2014, krichy at tvnetwork.hu wrote:

> Date: Mon, 22 Dec 2014 00:48:27 +0100 (CET)
> From: krichy at tvnetwork.hu
> To: freebsd-pf at freebsd.org
> Subject: Re: nested anchors
> 
> Dear all,
>
> In openbsd, pfctl.c works right. There was a fix for this bug: 
> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sbin/pfctl/pfctl.c?rev=1.300&content-type=text/x-cvsweb-markup
>
> I think the relevant diff is:
>
> --- pfctl.c.orig	2014-12-22 00:44:54.000000000 +0100
> +++ pfctl.c	2014-12-22 00:41:20.000000000 +0100
> @@ -1345,7 +1345,7 @@
> 			else
> 				snprintf(&path[len], MAXPATHLEN - len,
> 				    "%s", r->anchor->name);
> -			name = path;
> +			name = r->anchor->name;
> 		} else
> 			name = r->anchor->path;
> 	} else
>
> That would be nice if this had been applied.
>
> Regards,
> Kojedzinszky Richard
> Euronet Magyarorszag Informatika Zrt.
>
> On Sun, 21 Dec 2014, krichy at tvnetwork.hu wrote:
>
>> Date: Sun, 21 Dec 2014 20:29:06 +0100 (CET)
>> From: krichy at tvnetwork.hu
>> To: freebsd-pf at freebsd.org
>> Subject: nested anchors
>> 
>> Dear pf devs,
>> 
>> I found that on FreeBSD 10.1 nested anchors does not work.
>> 
>> This simple config passes traffic from any to 10.2.1.0/24:
>> 
>> anchor from any to 10.2.1.0/24 {
>>  pass quick all
>>  block
>>  block log (to pflog1)
>> }
>> 
>> 
>> If the inner pass is enclosed in another anchor, then the filter drops 
>> packets:
>> 
>> anchor from any to 10.2.1.0/24 {
>>  anchor all {
>>    pass quick all
>>    block
>>  }
>>  block log (to pflog1)
>> }
>> 
>> That would be very nice to have this working.
>> 
>> Regards,
>> 
>> Kojedzinszky Richard
>> Euronet Magyarorszag Informatika Zrt.
>> _______________________________________________
>> freebsd-pf at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>> 
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>

More information about the freebsd-pf mailing list