Re: PF Tables scoping.
Ok, I think I have found the root cause of this issue,
In /usr/src/sys/net/pf_table.c on line 2198 in pfr_attach_table:
*struct pfr_ktable *
pfr_attach_table(struct pf_ruleset *rs, char *name, int intr)
{
struct pfr_ktable *kt, *rt;
struct pfr_table tbl;
struct pf_anchor*ac = rs-anchor;
bzero(tbl, sizeof(tbl));
strlcpy(tbl.pfrt_name, name, sizeof(tbl.pfrt_name));
if (ac != NULL)
strlcpy(tbl.pfrt_anchor, ac-path, sizeof(tbl.pfrt_anchor));
kt = pfr_lookup_table(tbl);
if (kt == NULL) {
kt = pfr_create_ktable(tbl, time_second, 1, intr);
if (kt == NULL)
return (NULL);
if (ac != NULL) {
bzero(tbl.pfrt_anchor, sizeof(tbl.pfrt_anchor));
rt = pfr_lookup_table(tbl);
if (rt == NULL) {
rt = pfr_create_ktable(tbl, 0, 1, intr);
if (rt == NULL) {
pfr_destroy_ktable(kt, 0);
return (NULL);
}
pfr_insert_ktable(rt);
}
kt-pfrkt_root = rt;
}
pfr_insert_ktable(kt);
}
if (!kt-pfrkt_refcnt[PFR_REFCNT_RULE]++)
pfr_setflags_ktable(kt, kt-pfrkt_flags|PFR_TFLAG_REFERENCED);
return (kt);
}*
It seems to check within the anchor context first to see if a private
table exists and create one if it doesn't, so that in the case where one
doesn't exist and a global table of the same name does, you will get the
namespace collision warning.
I'm not sure how to go about resolving this, but I think the logic should be
rearranged so that it checks the global scope first and then the private
scope, and attaches to the global if one exists, and if not create and
attach to the private.
This seems fairly simple, however my c skills are not up to the task, should
I just file a PR on this and hope it gets picked up? or is there a better
method to go about getting this changed?
J
On Wed, Jun 2, 2010 at 1:45 PM, Calomel Org kep...@calomel.org wrote:
James,
I can confirm. If a table is created by an anchor with the same name as
an existing table the following error is printed:
pfctl: warning: namespace collision with BLOCKTEMP global table.
The anchors table is different from the main pf table.
pfctl -vvs Tables
--a-rhC BLOCKTEMP
Addresses: 12
Cleared: Wed Dec 31 19:00:00 1969
pfctl -a games -vvs Tables
--a-r-C BLOCKTEMP games
Addresses: 0
Cleared: Wed Jun 2 16:40:14 2010
--
Calomel @ https://calomel.org
Open Source Research and Reference
On Wed, Jun 02, 2010 at 04:23:54PM -0400, James Records wrote:
On Wed, Jun 2, 2010 at 10:48 AM, James Records james.records gmail.com
wrote:
Hi All,
Having an issue with anchors and tables again, I had this same issue a
couple of years ago in 4.5 but never got any response, hoping someone
can
shed some light onto what I'm missing here, or if this is even
supported,
I'm trying to use an overload rule inside of an anchor to populate a
table
defined outside of all anchors. I haven't seen anything that
specifically
says this isn't supported, but if thats the case I'd like to get it
clarified. Here are snippets of pf.conf that don't work, and one that
does,
and an explanation of why I can't just use the one that does work
without
side effects.
Thanks in advance,
J
Doesn't work:
##
Tables ###
##
table blocked_sites persist
#
Blocked Sites
#
anchor Blocked_Sites {
block in quick from blocked_sites to any
}
##
### TEST_IN ###
##
anchor TEST_IN {
pass in log quick on em0 inet proto tcp \
from any to TEST_IN_dst \
port { 443 } keep state \
(max 100, source-track rule, max-src-nodes 10, max-src-states 20,
max-src-conn 20, max-src-conn-rate 2/15, overload blocked_sites flush)
}
But remove the anchor from the overload rule and it works fine:
###
Tables
###
table blocked_sites persist
#
Blocked Sites
#
anchor Blocked_Sites {
block in quick from blocked_sites to any
}
###
### TEST_IN ###
###
#anchor TEST_IN {
pass in log quick on em0 inet proto tcp \
from any to TEST_IN_dst \
port { 443 } keep state \
(max 100, source-track rule, max-src-nodes 10, max-src-states 20,
max-src-conn 20, max-src-conn-rate 2/15, overload blocked_sites flush)
#}
This would be simple enough but I want to be able to parse my logs using
the anchor
Re: PF Tables scoping.
On Wed, Jun 2, 2010 at 10:48 AM, James Records james.reco...@gmail.comwrote:
Hi All,
Having an issue with anchors and tables again, I had this same issue a
couple of years ago in 4.5 but never got any response, hoping someone can
shed some light onto what I'm missing here, or if this is even supported,
I'm trying to use an overload rule inside of an anchor to populate a table
defined outside of all anchors. I haven't seen anything that specifically
says this isn't supported, but if thats the case I'd like to get it
clarified. Here are snippets of pf.conf that don't work, and one that does,
and an explanation of why I can't just use the one that does work without
side effects.
Thanks in advance,
J
Doesn't work:
##
Tables ###
##
table blocked_sites persist
#
Blocked Sites
#
anchor Blocked_Sites {
block in quick from blocked_sites to any
}
##
### TEST_IN ###
##
anchor TEST_IN {
pass in log quick on em0 inet proto tcp \
from any to TEST_IN_dst \
port { 443 } keep state \
(max 100, source-track rule, max-src-nodes 10, max-src-states 20,
max-src-conn 20, max-src-conn-rate 2/15, overload blocked_sites flush)
}
But remove the anchor from the overload rule and it works fine:
###
Tables
###
table blocked_sites persist
#
Blocked Sites
#
anchor Blocked_Sites {
block in quick from blocked_sites to any
}
###
### TEST_IN ###
###
#anchor TEST_IN {
pass in log quick on em0 inet proto tcp \
from any to TEST_IN_dst \
port { 443 } keep state \
(max 100, source-track rule, max-src-nodes 10, max-src-states 20,
max-src-conn 20, max-src-conn-rate 2/15, overload blocked_sites flush)
#}
This would be simple enough but I want to be able to parse my logs using
the anchor names, this isn't possible using the 2nd method.
The docs say this should just work from everything I can tell, I can read
from a global table from within an anchor but am failing to write to it
from within an anchor using the overload rule
Just an update, I've done some more digging, it seems like I'm running into
an issue where its creating a new table inside the anchor, I'm thinking this
is just a bug where the table gets created because it doesn't look outside
of the anchor to see if one already exists, but I just want to get another
pair of eyes to confirm.
Thanks
J
pfctl -vvs Tables
-pa--h- blocked_sites
Addresses: 0
Cleared: Wed Jun 2 06:10:20 2010
References: [ Anchors: 3 Rules: 0 ]
Evaluations: [ NoMatch: 162Match: 0 ]
In/Block:[ Packets: 0 Bytes: 0 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
In/XPass:[ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass:[ Packets: 0 Bytes: 0 ]
Out/XPass: [ Packets: 0 Bytes: 0 ]
$ pfctl -a TEST_IN -vvs Tables
--a-r-- blocked_sites TEST_IN
Addresses: 1
Cleared: Wed Jun 2 01:55:11 2010
References: [ Anchors: 0 Rules: 5 ]
Evaluations: [ NoMatch: 114Match: 69 ]
In/Block:[ Packets: 69 Bytes: 6732 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
In/XPass:[ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass:[ Packets: 0 Bytes: 0 ]
Out/XPass: [ Packets: 0 Bytes: 0 ]
Re: PF Tables scoping.
James,
I can confirm. If a table is created by an anchor with the same name as
an existing table the following error is printed:
pfctl: warning: namespace collision with BLOCKTEMP global table.
The anchors table is different from the main pf table.
pfctl -vvs Tables
--a-rhC BLOCKTEMP
Addresses: 12
Cleared: Wed Dec 31 19:00:00 1969
pfctl -a games -vvs Tables
--a-r-C BLOCKTEMP games
Addresses: 0
Cleared: Wed Jun 2 16:40:14 2010
--
Calomel @ https://calomel.org
Open Source Research and Reference
On Wed, Jun 02, 2010 at 04:23:54PM -0400, James Records wrote:
On Wed, Jun 2, 2010 at 10:48 AM, James Records james.records gmail.comwrote:
Hi All,
Having an issue with anchors and tables again, I had this same issue a
couple of years ago in 4.5 but never got any response, hoping someone can
shed some light onto what I'm missing here, or if this is even supported,
I'm trying to use an overload rule inside of an anchor to populate a table
defined outside of all anchors. I haven't seen anything that specifically
says this isn't supported, but if thats the case I'd like to get it
clarified. Here are snippets of pf.conf that don't work, and one that does,
and an explanation of why I can't just use the one that does work without
side effects.
Thanks in advance,
J
Doesn't work:
##
Tables ###
##
table blocked_sites persist
#
Blocked Sites
#
anchor Blocked_Sites {
block in quick from blocked_sites to any
}
##
### TEST_IN ###
##
anchor TEST_IN {
pass in log quick on em0 inet proto tcp \
from any to TEST_IN_dst \
port { 443 } keep state \
(max 100, source-track rule, max-src-nodes 10, max-src-states 20,
max-src-conn 20, max-src-conn-rate 2/15, overload blocked_sites flush)
}
But remove the anchor from the overload rule and it works fine:
###
Tables
###
table blocked_sites persist
#
Blocked Sites
#
anchor Blocked_Sites {
block in quick from blocked_sites to any
}
###
### TEST_IN ###
###
#anchor TEST_IN {
pass in log quick on em0 inet proto tcp \
from any to TEST_IN_dst \
port { 443 } keep state \
(max 100, source-track rule, max-src-nodes 10, max-src-states 20,
max-src-conn 20, max-src-conn-rate 2/15, overload blocked_sites flush)
#}
This would be simple enough but I want to be able to parse my logs using
the anchor names, this isn't possible using the 2nd method.
The docs say this should just work from everything I can tell, I can read
from a global table from within an anchor but am failing to write to it
from within an anchor using the overload rule
Just an update, I've done some more digging, it seems like I'm running into
an issue where its creating a new table inside the anchor, I'm thinking this
is just a bug where the table gets created because it doesn't look outside
of the anchor to see if one already exists, but I just want to get another
pair of eyes to confirm.
Thanks
J
pfctl -vvs Tables
-pa--h-blocked_sites
Addresses: 0
Cleared: Wed Jun 2 06:10:20 2010
References: [ Anchors: 3 Rules: 0 ]
Evaluations: [ NoMatch: 162Match: 0 ]
In/Block:[ Packets: 0 Bytes: 0 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
In/XPass:[ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass:[ Packets: 0 Bytes: 0 ]
Out/XPass: [ Packets: 0 Bytes: 0 ]
$ pfctl -a TEST_IN -vvs Tables
--a-r--blocked_sites TEST_IN
Addresses: 1
Cleared: Wed Jun 2 01:55:11 2010
References: [ Anchors: 0 Rules: 5 ]
Evaluations: [ NoMatch: 114Match: 69 ]
In/Block:[ Packets: 69 Bytes: 6732 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
In/XPass:[ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass:[ Packets: 0 Bytes: 0 ]
Out/XPass: [ Packets: 0 Bytes: 0 ]
