Ok, I think I have found the root cause of this issue,
In /usr/src/sys/net/pf_table.c on line 2198 in pfr_attach_table:
*struct pfr_ktable *
pfr_attach_table(struct pf_ruleset *rs, char *name, int intr)
{
struct pfr_ktable *kt, *rt;
struct pfr_table tbl;
struct pf_anchor *ac = rs->anchor;
bzero(&tbl, sizeof(tbl));
strlcpy(tbl.pfrt_name, name, sizeof(tbl.pfrt_name));
if (ac != NULL)
strlcpy(tbl.pfrt_anchor, ac->path, sizeof(tbl.pfrt_anchor));
kt = pfr_lookup_table(&tbl);
if (kt == NULL) {
kt = pfr_create_ktable(&tbl, time_second, 1, intr);
if (kt == NULL)
return (NULL);
if (ac != NULL) {
bzero(tbl.pfrt_anchor, sizeof(tbl.pfrt_anchor));
rt = pfr_lookup_table(&tbl);
if (rt == NULL) {
rt = pfr_create_ktable(&tbl, 0, 1, intr);
if (rt == NULL) {
pfr_destroy_ktable(kt, 0);
return (NULL);
}
pfr_insert_ktable(rt);
}
kt->pfrkt_root = rt;
}
pfr_insert_ktable(kt);
}
if (!kt->pfrkt_refcnt[PFR_REFCNT_RULE]++)
pfr_setflags_ktable(kt, kt->pfrkt_flags|PFR_TFLAG_REFERENCED);
return (kt);
}*
It seems to check within the anchor context first to see if a "private"
table exists and create one if it doesn't, so that in the case where one
doesn't exist and a "global" table of the same name does, you will get the
namespace collision warning.
I'm not sure how to go about resolving this, but I think the logic should be
rearranged so that it checks the global scope first and then the private
scope, and attaches to the global if one exists, and if not create and
attach to the private.
This seems fairly simple, however my c skills are not up to the task, should
I just file a PR on this and hope it gets picked up? or is there a better
method to go about getting this changed?
J
On Wed, Jun 2, 2010 at 1:45 PM, Calomel Org <kep...@calomel.org> wrote:
> James,
>
> I can confirm. If a table is created by an anchor with the same name as
> an existing table the following error is printed:
>
> pfctl: warning: namespace collision with <BLOCKTEMP> global table.
>
>
> The anchors table is different from the main pf table.
>
> pfctl -vvs Tables
> --a-rhC BLOCKTEMP
> Addresses: 12
> Cleared: Wed Dec 31 19:00:00 1969
>
> pfctl -a games -vvs Tables
> --a-r-C BLOCKTEMP games
> Addresses: 0
> Cleared: Wed Jun 2 16:40:14 2010
>
> --
> Calomel @ https://calomel.org
> Open Source Research and Reference
>
>
> On Wed, Jun 02, 2010 at 04:23:54PM -0400, James Records wrote:
> >On Wed, Jun 2, 2010 at 10:48 AM, James Records <james.records gmail.com
> >wrote:
> >
> >> Hi All,
> >>
> >> Having an issue with anchors and tables again, I had this same issue a
> >> couple of years ago in 4.5 but never got any response, hoping someone
> can
> >> shed some light onto what I'm missing here, or if this is even
> supported,
> >> I'm trying to use an overload rule inside of an anchor to populate a
> table
> >> defined outside of all anchors. I haven't seen anything that
> specifically
> >> says this isn't supported, but if thats the case I'd like to get it
> >> clarified. Here are snippets of pf.conf that don't work, and one that
> does,
> >> and an explanation of why I can't just use the one that does work
> without
> >> side effects.
> >>
> >> Thanks in advance,
> >>
> >> J
> >>
> >>
> >>
> >> Doesn't work:
> >>
> >> ##############
> >> #### Tables ###
> >> ##############
> >> table <blocked_sites> persist
> >>
> >> #####################
> >> #### Blocked Sites ####
> >> #####################
> >> anchor "Blocked_Sites" {
> >> block in quick from <blocked_sites> to any
> >> }
> >>
> >> ##############
> >> ### TEST_IN ###
> >> ##############
> >> anchor "TEST_IN" {
> >> pass in log quick on em0 inet proto tcp \
> >> from any to <TEST_IN_dst> \
> >> port { 443 } keep state \
> >> (max 100, source-track rule, max-src-nodes 10, max-src-states 20,
> >> max-src-conn 20, max-src-conn-rate 2/15, overload <blocked_sites> flush)
> >> }
> >>
> >>
> >> But remove the anchor from the overload rule and it works fine:
> >>
> >> ###############
> >> #### Tables ####
> >> ###############
> >> table <blocked_sites> persist
> >>
> >> #####################
> >> #### Blocked Sites ####
> >> #####################
> >> anchor "Blocked_Sites" {
> >> block in quick from <blocked_sites> to any
> >> }
> >>
> >> ###############
> >> ### TEST_IN ###
> >> ###############
> >> #anchor "TEST_IN" {
> >> pass in log quick on em0 inet proto tcp \
> >> from any to <TEST_IN_dst> \
> >> port { 443 } keep state \
> >> (max 100, source-track rule, max-src-nodes 10, max-src-states 20,
> >> max-src-conn 20, max-src-conn-rate 2/15, overload <blocked_sites> flush)
> >> #}
> >>
> >> This would be simple enough but I want to be able to parse my logs using
> >> the anchor names, this isn't possible using the 2nd method.
> >>
> >> The docs say this should just work from everything I can tell, I can
> "read"
> >> from a global table from within an anchor but am failing to "write" to
> it
> >> from within an anchor using the overload rule
> >>
> >
> >
> >
> >Just an update, I've done some more digging, it seems like I'm running
> into
> >an issue where its creating a new table inside the anchor, I'm thinking
> this
> >is just a bug where the table gets created because it doesn't look outside
> >of the anchor to see if one already exists, but I just want to get another
> >pair of eyes to confirm.
> >
> >Thanks
> >J
> >
> > pfctl -vvs Tables
> >-pa--h- blocked_sites
> > Addresses: 0
> > Cleared: Wed Jun 2 06:10:20 2010
> > References: [ Anchors: 3 Rules: 0
> ]
> > Evaluations: [ NoMatch: 162 Match: 0
> ]
> > In/Block: [ Packets: 0 Bytes: 0
> ]
> > In/Pass: [ Packets: 0 Bytes: 0
> ]
> > In/XPass: [ Packets: 0 Bytes: 0
> ]
> > Out/Block: [ Packets: 0 Bytes: 0
> ]
> > Out/Pass: [ Packets: 0 Bytes: 0
> ]
> > Out/XPass: [ Packets: 0 Bytes: 0
> ]
> >
> >$ pfctl -a "TEST_IN" -vvs Tables
> >--a-r-- blocked_sites TEST_IN
> > Addresses: 1
> > Cleared: Wed Jun 2 01:55:11 2010
> > References: [ Anchors: 0 Rules: 5
> ]
> > Evaluations: [ NoMatch: 114 Match: 69
> ]
> > In/Block: [ Packets: 69 Bytes: 6732
> ]
> > In/Pass: [ Packets: 0 Bytes: 0
> ]
> > In/XPass: [ Packets: 0 Bytes: 0
> ]
> > Out/Block: [ Packets: 0 Bytes: 0
> ]
> > Out/Pass: [ Packets: 0 Bytes: 0
> ]
> > Out/XPass: [ Packets: 0 Bytes: 0
> ]
