>Synopsis: pf removes automatic tables inside inline anchors
>Category: kernel
>Environment:
System : OpenBSD 5.5
Details : OpenBSD 5.5 (GENERIC) #271: Wed Mar 5 09:31:16 MST 2014
[email protected]:/usr/src/sys/arch/amd64/compile/GENERIC
Architecture: OpenBSD.amd64
Machine : amd64
>Description:
With basic ruleset-optimization, pf combines multiple similar rules into a rule
on an automatic table. If that happens inside an anchor defined inline, the
table will get destroyed and thus the rules no longer work.
>How-To-Repeat:
pf.conf:
set ruleset-optimization basic
block
anchor "foo" to 192.168.1.0/24 {
pass proto tcp to { 192.168.1.1 192.168.1.2 192.168.1.3 192.168.1.4
192.168.1.5 192.168.1.6 } port 80
}
pass proto tcp to { 192.168.2.1 192.168.2.2 192.168.2.3 192.168.2.4
192.168.2.5 192.168.2.6 }
Table is referred to in rules, but does not exist:
# pfctl -Fr -FT -f /etc/pf.conf
# pfctl -sr -a '*'
block drop all
anchor "foo" inet from any to 192.168.1.0/24 {
pass inet proto tcp from any to <__automatic_22d700ce_1> port = 80 flags
S/SA
}
pass inet proto tcp from any to <__automatic_44a5c9f7_0> port = 80 flags
S/SA
# pfctl -a foo -t __automatic_22d700ce_1 -T show
pfctl: Table does not exist.
# pfctl -t __automatic_22d700ce_1 -T show
pfctl: Table does not exist.
# pfctl -sT
__automatic_44a5c9f7_0
# pfctl -sT -a foo
# pfctl -sT -a '*'
__automatic_44a5c9f7_0
If the table is loaded from a file, it will exist as expected - this
only seems to happen for inline anchors. In addition, while trying to
narrow this down I noticed that it is a syntax error to define tables in
inline anchors (that too works fine when the anchor is loaded from a
file). Should I send a separate bug report for that?
>Fix:
'set ruleset-optimization none' can work around this.
--
Lauri Tirkkonen
Niksula systems specialist
