PF not keeping counters in a counters-defined table

Dobri Dobrev ddobrev85 at gmail.com
Tue Jan 5 19:35:37 UTC 2021 

You are correct, Kristof.

If I place the table in the rdr rule - it starts keeping counters, however,
what is the point of having the ability to place a table in a rdr-anchor
rule in the first place, if it won't be able to keep counters?

I'm doing the following scenario:
table <xyztable> counters
table <othertable> persist

rdr-anchor "ASDFGH" on igb0 proto tcp from <xyztable> to any port 123
no-rdr on igb0 from any to <othertable> port 123
rdr-anchor "ASDFGH" on igb0 proto tcp from any to any port 123

load anchor ASDFGH from "/etc/ASDFGH-anchor"
# contents of /etc/ASDFGH-anchor:
# (tested separately)
# rdr on igb0 proto tcp from any to 192.168.0.1 port 123 -> 192.168.0.1
port 124 # no counters
# rdr on igb0 proto tcp from <xyztable> to 192.168.0.1 port 123 ->
192.168.0.1 port 124 # counters working

So, in this case - how do I keep counters in the <xyztable> without
breaking the current "workflow"?
If IP 192.168.0.1 is not in <othertabe> and I have <xyztable> on all rdr
rules @ the anchor - I won't ever be able to reach 123->192.168.0.1:124

Is there a way?

On Tue, Jan 5, 2021 at 8:58 PM Kristof Provost <kp at freebsd.org> wrote:

> On 5 Jan 2021, at 14:42, Dobri Dobrev wrote:
> >  #
> >
> ------------------------------------------------------------------------------------------------
> > # /etc/pf.conf:
> > set timeout tcp.first 45
> > set timeout tcp.opening 45
> > set timeout tcp.closing 15
> > set timeout tcp.finwait 15
> > set timeout tcp.closed 10
> > set timeout interval 10
> > set timeout tcp.established 3600
> > set timeout src.track 10
> >
> > set limit table-entries 500000
> > set limit states 2000000
> > set limit src-nodes 2000000
> > set require-order no
> > set block-policy drop
> > set ruleset-optimization basic
> >
> > set skip on lo0
> >
> > table <xyztable> counters
> > rdr-anchor "ASDFGH" on igb0 proto tcp from <xyztable> to any port 123
> >
> > load anchor ASDFGH from "/etc/ASDFGH-anchor"
> >
> > # contents of /etc/ASDFGH-anchor:
> > # rdr on igb0 proto tcp from any to 192.168.0.1 port 123 ->
> > 192.168.0.1
> > port 124
> > #
> Use pflog to confirm, but I’m pretty sure your issue is that you’re
> hitting the rdr rule in the anchor, which doesn’t contain the table
> with the counters rather than the anchor rule.
> Counts are only done on the final matching rule, not on all of the rules
> looked at along the way.
>
> Regards,
> Kristof
>

More information about the freebsd-pf mailing list