`echo <something> | pfctl -mf -` overriding instead of modifying
Niklaas Baudet von Gersdorff
stdin at niklaas.eu
Wed May 18 07:24:11 UTC 2016
Note: crossposting in freebsd-questions and freebsd-pf
On a 10.3-RELEASE system, in my `/etc/pf.conf` I have the following lines:
ext_if="vtnet0"
...
rdr-anchor "jails/*" on $ext_if inet to $ext_if
In my `/etc/jail.conf` I have the following lines for some jail:
exec.poststart += "echo 'rdr pass on vtnet0 inet proto { udp tcp } to vtnet0 port domain -> $private_ip4' | pfctl -a 'jails/$name' -f -";
exec.poststart += "echo 'rdr pass on vtnet0 inet6 proto { udp tcp } to vtnet0 port domain -> $private_ip6' | pfctl -a 'jails/$name' -mf -";
Nonetheless, if I start the jail, only the inet6 rules will stay in the
appropriate anchor. The inet rules will be overridden.
Initially, I only used the `-f -` flags for pfctl (instead of `-mf -`) and
realised that making changes to the anchor overrides existing rules. So
I read pfctl(8) where it says
-m Merge in explicitly given options without resetting those
which are omitted. Allows single options to be modified without
disturbing the others:
# echo "set loginterface fxp0" | pfctl -mf -
So I thought that adding `-m` to the rule in the second `exec.poststart`
will include (instead of replace) the rules into the anchor. But this is
not the case. What am I doing wrong? Do I misunderstand `-m`?
Niklaas
More information about the freebsd-pf
mailing list