`echo <something> | pfctl -mf -` overriding instead of modifying

[Niklaas Baudet von Gersdorff]

Max [2016-05-26 15:28 +0300] :

> Can you try something like
> exec.poststart = "/bin/sh /path/to/pf-config.sh $name $private_ip4 
> $private_ip6"
> 
> where pf-config.sh contains
> #!/bin/sh
> echo "rdr pass on vtnet0 inet  proto { udp tcp } to vtnet0 port domain 
> ->   $2
> rdr pass on vtnet0 inet6 proto { udp tcp } to vtnet0 port domain ->   
> $3" | pfctl -a "jails/$1" -Nf -

Thanks a lot for your input. I guess that would work but I managed to
solve it the following way:

    exec.poststart += "echo 'rdr pass on vtnet0 inet6 proto { udp tcp } to vtnet0 port domain ->   $private_ip6' | pfctl -a 'jails/$name-ipv6' -f -";
    exec.poststart += "echo 'rdr pass on vtnet0 inet  proto { udp tcp } to vtnet0 port domain ->   $private_ip4' | pfctl -a 'jails/$name-ipv4' -f -";
    exec.poststop  += "pfctl -a jails/$name-ipv6 -F all";
    exec.poststop  += "pfctl -a jails/$name-ipv4 -F all";

The trick is to use two anchors. This way no rules are replaced and both
stay active.

    Niklaas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20160526/944d22ee/attachment.sig>