I am not understanding something about pf

Doug Hardie bc979 at lafn.org
Sat Dec 12 03:30:08 UTC 2009 

I am running 7.2-Stable with pf.  I have the following pf.conf:

no rdr inet proto tcp from <spamd-white-local> to any port smtp
no rdr inet proto tcp from <spamd-white> to any port smtp
rdr pass inet proto tcp from any to any port smtp -> 127.0.0.1 port spamd

This is the basic spamd configuration with an extra table <spamd-white-local> which lists hosts to go directly to the mail server.  Everything works properly.  Hosts not in either spamd table go to spamd and those in either spamd table go directly to the mail server.  However, the pf statistics don't seem to make sense to me.  I always see the following:

no rdr inet proto tcp from <spamd-white-local> to any port = smtp
  [ Evaluations: 1193433   Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73310 ]
no rdr inet proto tcp from <spamd-white> to any port = smtp
  [ Evaluations: 110124    Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73310 ]
rdr pass inet proto tcp from any to any port = smtp -> 127.0.0.1 port 8025
  [ Evaluations: 110124    Packets: 63        Bytes: 3516        States: 1     ]
  [ Inserted: uid 0 pid 73310 ]

Where the first two entries never show any Packets and the third shows everything.  Does "no rdr" work differently than "rdr" with the statistics?  I understood from the Book of PF that the rules were evaluated such that the last matching rule is used.  Hence I think that with the above conf file the spamd-white-local table would never get used as the connection will match one of the 2 following rules.

So I ran another test by putting the first rule last:

no rdr inet proto tcp from <spamd-white> to any port smtp
rdr pass inet proto tcp from any to any port smtp -> 127.0.0.1 port spamd
no rdr inet proto tcp from <spamd-white-local> to any port smtp

Now entries in <spamd-white-local> are ignored and, the statistics are quite different:

no rdr inet proto tcp from <spamd-white> to any port = smtp
  [ Evaluations: 79        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 86983 ]
rdr pass inet proto tcp from any to any port = smtp -> 127.0.0.1 port 8025
  [ Evaluations: 52        Packets: 25        Bytes: 1395        States: 1     ]
  [ Inserted: uid 0 pid 86983 ]
no rdr inet proto tcp from <spamd-white-local> to any port = smtp
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 86983 ]


Now the last rule says its never evaluated.  This indicates that its the first rule that matches that is used rather than the last.  However, why are there never any packets counted in the "no rdr" rules?

More information about the freebsd-questions mailing list