Re: Re[2]: anchors - weirdness
Thanks Daniel, I'm compiling the patch in now, and I'll try the test anchor unload sequence without typos this time ;-) David.
Re[2]: anchors - weirdness
-Original Message- From: Daniel Hartmeier [EMAIL PROTECTED] To: David Diggles [EMAIL PROTECTED] Date: Thu, 29 Jun 2006 07:25:04 +0200 Subject: Re: anchors - weirdness There was a bug that caused anchors defined from sub-anchors with load anchor statements to get defined directly in the root, and not relative to the position of the anchor defining them. This was fixed in OpenBSD just a couple of weeks ago with http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_table.c.diff?r1=1.67r2=1.68f=h http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/pfctl/parse.y.diff?r1=1.497r2=1.498f=h This isn't in FreeBSD (or OpenBSD -stable) yet, but it probably makes sense to pull it in. I have use same pf_table.c patch under FreeBSD 6.0, 6.1 two months. It's work well. To Max Laier: please, patch FreeBSD's PF/pfctl. With best regards Boris Polevoy
anchors - weirdness
I have 2 weirdnesses occurring with anchors. Running pf compiled in kernel, on FreeBSD 6.1 i386 Here's the scenario... i have the following configs -quote section from pf.conf anchor test/* load anchor test from /etc/pf/anchors/test -quote section from pf.conf (this pf.conf has a default block set) - quote /etc/pf/anchors/test - anchor test.000 load anchor test.000 from /etc/pf/anchors/test.000 - quote /etc/pf/anchors/test - - quote /etc/pf/anchors/test.000 - pass in quick on em0 inet proto tcp from any to em0 port 80 \ flags S/SA modulate state - quote /etc/pf/anchors/test.000 - Weirdness number 1... anchors declared within anchors are not evaluating. I load the rules: pfctl -e -f /etc/pf.conf pfctl -s Anchors# shows the following test test.000 pfctl -s rules # shows the following anchor test/* all however I cannot connect to port 80 from another machine on the same network... there is no test.000 loading in the main ruleset. Weirdness number 2... can't destroy anchors? commented out lines in pf.conf -quote section from pf.conf #anchor test/* #load anchor test from /etc/pf/anchors/test -quote section from pf.conf flushed everything out... and reloaded everything... # pfctl -a test.00 -F all rules cleared nat cleared pfctl: Anchor or Ruleset does not exist. why does this not exist??? # pfctl -a test -F all rules cleared nat cleared 0 tables deleted. # pfctl -F all -f /etc/pf.conf rules cleared nat cleared 0 tables deleted. altq cleared 9 states cleared source tracking entries cleared pf: statistics cleared pf: interface flags reset # pfctl -s Anchors test test.000 so why are these anchors still defined Any clarification or workaround for these anchor weirdnesses would be greatly appreciated. I am working towards having a fairly static pf.conf and the changable rules stuff being located within anchors only. Cheers, David
Re: anchors - weirdness
On Thu, Jun 29, 2006 at 11:37:41AM +1000, David Diggles wrote: -quote section from pf.conf anchor test/* load anchor test from /etc/pf/anchors/test -quote section from pf.conf (this pf.conf has a default block set) anchor test/* will cause evaluation of all sub-anchors of test, but not evaluation of the rules in anchor test itself. If you want to evaluate both the rules in test as well as the rules in all sub-anchors of test, you'll need anchor test anchor test/* - quote /etc/pf/anchors/test - anchor test.000 load anchor test.000 from /etc/pf/anchors/test.000 - quote /etc/pf/anchors/test - Since you have calls from test's ruleset to the sub-anchors, what you probably intended, in the main ruleset, was a call to test's rules, which is anchor test instead of anchor test/* There was a bug that caused anchors defined from sub-anchors with load anchor statements to get defined directly in the root, and not relative to the position of the anchor defining them. This was fixed in OpenBSD just a couple of weeks ago with http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf_table.c.diff?r1=1.67r2=1.68f=h http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/pfctl/parse.y.diff?r1=1.497r2=1.498f=h This isn't in FreeBSD (or OpenBSD -stable) yet, but it probably makes sense to pull it in. As a workaround, you can use absolute paths for load anchor statements in sub-anchors, like load anchor /test/test.000 from /etc/pf/anchors/test.000 Weirdness number 2... can't destroy anchors? Anchors are automatically destroyed/removed when they contain no rules (either translation or filter rules) AND contain no sub-anchors AND are not referenced by any explicit anchor ... calls # pfctl -a test.00 -F all pfctl: Anchor or Ruleset does not exist. why does this not exist??? Note the typo (test.00 vs. test.000) Daniel
