I am not understanding something about pf

xSAPPYx xsappyx at gmail.com
Sat Dec 12 07:31:12 UTC 2009 

On Fri, Dec 11, 2009 at 7:30 PM, Doug Hardie <bc979 at lafn.org> wrote:

> I am running 7.2-Stable with pf.  I have the following pf.conf:
>
> no rdr inet proto tcp from <spamd-white-local> to any port smtp
> no rdr inet proto tcp from <spamd-white> to any port smtp
> rdr pass inet proto tcp from any to any port smtp -> 127.0.0.1 port spamd
>
> This is the basic spamd configuration with an extra table
> <spamd-white-local> which lists hosts to go directly to the mail server.
>  Everything works properly.  Hosts not in either spamd table go to spamd and
> those in either spamd table go directly to the mail server.  However, the pf
> statistics don't seem to make sense to me.  I always see the following:
>
> no rdr inet proto tcp from <spamd-white-local> to any port = smtp
>  [ Evaluations: 1193433   Packets: 0         Bytes: 0           States: 0
>   ]
>  [ Inserted: uid 0 pid 73310 ]
> no rdr inet proto tcp from <spamd-white> to any port = smtp
>  [ Evaluations: 110124    Packets: 0         Bytes: 0           States: 0
>   ]
>  [ Inserted: uid 0 pid 73310 ]
> rdr pass inet proto tcp from any to any port = smtp -> 127.0.0.1 port 8025
>  [ Evaluations: 110124    Packets: 63        Bytes: 3516        States: 1
>   ]
>  [ Inserted: uid 0 pid 73310 ]
>
> Where the first two entries never show any Packets and the third shows
> everything.  Does "no rdr" work differently than "rdr" with the statistics?
>  I understood from the Book of PF that the rules were evaluated such that
> the last matching rule is used.  Hence I think that with the above conf file
> the spamd-white-local table would never get used as the connection will
> match one of the 2 following rules.
>
> So I ran another test by putting the first rule last:
>
> no rdr inet proto tcp from <spamd-white> to any port smtp
> rdr pass inet proto tcp from any to any port smtp -> 127.0.0.1 port spamd
> no rdr inet proto tcp from <spamd-white-local> to any port smtp
>
> Now entries in <spamd-white-local> are ignored and, the statistics are
> quite different:
>
> no rdr inet proto tcp from <spamd-white> to any port = smtp
>  [ Evaluations: 79        Packets: 0         Bytes: 0           States: 0
>   ]
>  [ Inserted: uid 0 pid 86983 ]
> rdr pass inet proto tcp from any to any port = smtp -> 127.0.0.1 port 8025
>  [ Evaluations: 52        Packets: 25        Bytes: 1395        States: 1
>   ]
>  [ Inserted: uid 0 pid 86983 ]
> no rdr inet proto tcp from <spamd-white-local> to any port = smtp
>  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0
>   ]
>  [ Inserted: uid 0 pid 86983 ]
>
>
> Now the last rule says its never evaluated.  This indicates that its the
> first rule that matches that is used rather than the last.  However, why are
> there never any packets counted in the "no rdr" rules?
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at freebsd.org"
>


Do you have a "pass in proto tcp to port smpt" or some such rule that is
capturing the rest of the packets/accounting stats?

I believe the "pass" in the second test  (rdr pass inet proto tcp from any
to any port = smtp -> 127.0.0.1 port 8025) is short circuiting your assumed
"last match wins".

The full pf.conf would be helpful

More information about the freebsd-questions mailing list