PF not keeping counters in a counters-defined table

[Dobri Dobrev]

Hopefully someone else will be able to help.

On Tue, Jan 5, 2021 at 9:42 PM Kristof Provost <kp at freebsd.org> wrote:

> On 5 Jan 2021, at 20:35, Dobri Dobrev wrote:
> > You are correct, Kristof.
> >
> > If I place the table in the rdr rule - it starts keeping counters,
> > however,
> > what is the point of having the ability to place a table in a
> > rdr-anchor
> > rule in the first place, if it won't be able to keep counters?
> >
> Tables are not just about counters. They’re about making a rule filter
> on a whole selection of addresses (or ranges).
> In this case you’re choosing to filter what traffic may go into the
> anchor.
> Maybe consider not filtering on the rdr-anchor rule, but on the rdr rule
> in the anchor itself?
>
> > I'm doing the followi ng scenario:
> > table <xyztable> counters
> > table <othertable> persist
> >
> > rdr-anchor "ASDFGH" on igb0 proto tcp from <xyztable> to any port 123
> > no-rdr on igb0 from any to <othertable> port 123
> > rdr-anchor "ASDFGH" on igb0 proto tcp from any to any port 123
> >
> > load anchor ASDFGH from "/etc/ASDFGH-anchor"
> > # contents of /etc/ASDFGH-anchor:
> > # (tested separately)
> > # rdr on igb0 proto tcp from any to 192.168.0.1 port 123 ->
> > 192.168.0.1
> > port 124 # no counters
> > # rdr on igb0 proto tcp from <xyztable> to 192.168.0.1 port 123 ->
> > 192.168.0.1 port 124 # counters working
> >
> > So, in this case - how do I keep counters in the <xyztable> without
> > breaking the current "workflow"?
> > If IP 192.168.0.1 is not in <othertabe> and I have <xyztable> on all
> > rdr
> > rules @ the anchor - I won't ever be able to reach
> > 123->192.168.0.1:124
> >
> > Is there a way?
>
> I have no idea, and I’m not the best person to talk to about how to
> configure your firewall.
>
> Best regards,
> Kristof
>