Hello,
I was a bit surprised by the following behavior when configuring pf on
OpenBSD 5.2. Non-persistent tables that are only referenced by inline
anchor rules, as in the following example, are removed from memory
when pf.conf is loaded.
# Doesn't work (ssh connections are blocked):
table <admins> {10.0.0.2}
block
pass out
anchor in on ix1 {
pass proto tcp from <admins> to ix1 port ssh
}
# Works as expected:
table <admins> persist {10.0.0.2}
block
pass out
anchor in on ix1 {
pass proto tcp from <admins> to ix1 port ssh
}
After loading the first configuration, 'pfctl -t admins -T show' gives me:
pfctl: Table does not exist.
Referencing the table in the main ruleset, or making it persistent as
in the second example, fixes the problem. Is this by design?
- Max
