Similar entries in source tracking table
Kajetan Staszkiewicz
vegeta at tuxpowered.net
Tue May 2 23:06:15 UTC 2017
Dnia poniedziałek, 1 maja 2017 19:29:23 CEST Babak Farrokhi pisze:
> Hello,
>
> I was running an experiment with pf in which I encountered an unusual case.
>
> In a nat setup, is this okay to have multiple similar entries in source
> tracking table?
>
> # pfctl -sS
> 192.168.232.1 -> 192.168.0.104 ( states 0, connections 0, rate 0.0/0s )
> 192.168.232.1 -> 192.168.0.104 ( states 0, connections 0, rate 0.0/0s )
> 192.168.232.1 -> 192.168.0.104 ( states 0, connections 0, rate 0.0/0s )
Such entries can be created from different rules in currently loaded pf.conf,
that includes multiple rules generated from a single line in pf.conf which
contains a table of ports or interfaces which gets expanded to multiple rules
or they can be still alive from previous load of pf.conf.
> I can reproduce this behavior by reloading pf.conf
That is exactly the case. Each source tracking entry is bound to rule and when
you load pf.conf a new set of rules replaces the old ones even if they are the
same.
--
| pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS |
| Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net |
| Vegeta | www: http://vegeta.tuxpowered.net |
`------------------------^---------------------------------------'
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20170503/b3b0ab4b/attachment.sig>
More information about the freebsd-pf
mailing list