pf, relayd, TCP keep alive and NAT, oh my!

[Cameron Simpson]

Can I enforce or implement TCP keep alives on a TCP stream via my 
firewall?

Background:

I've got a client with an OpenBSD firewall and a Telstra NBN modem as 
their modem.

Their IMAP server is upstream in the cloud (Unbuntu, courier imap). I 
have this odd problem which I am beginning to suspect is the NBN modem 
getting bored and dropping its NAT entries. Let me explain...

At the firewall end I see about 30 ESTABLISHED connections to the IMAP 
server. At the IMAP server I see over 500, which is about where the IMAP 
service stops accepting new connections, leading to errors from the 
client mail readers.

My current theory is that the IMAP client connections issue the IMAP 
IDLE command and go passive, waiting for email notifications from the 
server.  So we have an idle TCP connection across the firewall and 
across the NBN modem (which NATs).

My conjecture is that at some point the modem discards idle connection 
states. (This could just as well happen at any other intermediate 
stateful router too.) After that event, the client end does something 
which tries to use the connection, gets an RST from the modem, clean 
tidyup happens on the client and in the firewall.

At the server end, none of this is seen and the imapd just sits around 
idle, never releasing the connection and never stopping the matching 
daemon process. This gradually rises to hit the server's configured 
connection limit and it stops accepting new things.

If I had TCP keep alive turned on, both ends might tidy themselves up.  
I can't enable that on the clients (various mail readers) or, 
apparently, on the server configuration. I can't do it in PF because PF 
just copies packets. I can't seem to do it in relayd either, though that 
seems the obvious way to intercept the connection for this purpose.

Any suggestions?

I haven't fully validated my conjecture yet, BTW. It just fits the 
symptoms I see.

Plan B is to build the latest courier-imap from source if I find the 
time, but there may be no build option for this. I guess a single 
setsockopt() call in the source would be enough, _if_ that can be done 
on the accept end, which I haven't checked.

Plan B0 might be to disable IMAP IDLE support. Hmm.

Cheers,
Cameron Simpson 

Re: after upgrade to 6.9, iked does not pass traffic

[Leclerc, Sebastien]

> > > If that doesn't help you could share the output of 'ipsecctl -sa' to find
> > > out if the IPsec SAs or flows are the problem.
> > 
> > That may be the problem, there is nothing between 192.168.1.109 and 
> > 192.168.9.101 :
> > (192.168.8.2 is the firewall interface that 192.168.1.109 is connecting to,
> > 192.168.9.101 is what the vpn client is trying to communicate with)
> > 
> > # ipsecctl -sa
> > FLOWS:
> > No flows
> > 
> > SAD:
> > esp tunnel from 192.168.8.2 to 192.168.1.109 spi 0x0e7b0e8b auth hmac-sha1 
> > enc aes-256
> > esp tunnel from 192.168.1.109 to 192.168.8.2 spi 0x6830eab4 auth hmac-sha1 
> > enc aes-256

> Ok, so this seems to be the cause.  From your log snippet i can see that
> there must have been SAs at some point because it shows an
> "ikev2_childsa_enable" line.
> Try running iked with -vv. Maybe the verbose log contains an error message
> that helps us find out what's wrong.

The SAs seem to be only the first "from" clause (from 192.168.8.2 to 
192.168.1.109), which are the VPN endpoints, not the second one, which covers 
the network behind the OpenBSD machine, and the IP assigned to the Windows 
machine in this same subnet (arp-proxied).

Here is the verbose log :

# iked -Tdvv
create_ike: using rsa for peer 192.168.1.109
ikev2 "windows" passive tunnel esp inet from 192.168.8.2 to 192.168.1.109 from 
192.168.9.0/24 to 192.168.9.208 local 192.168.8.2 peer 192.168.1.109 ikesa enc 
aes-128-gcm enc aes-256-gcm prf hmac-sha2-256 prf hmac-sha2-384 prf 
hmac-sha2-512 prf hmac-sha1 group curve25519 group ecp521 group ecp384 group 
ecp256 group modp4096 group modp3072 group modp2048 group modp1536 group 
modp1024 ikesa enc aes-256 enc aes-192 enc aes-128 enc 3des prf hmac-sha2-256 
prf hmac-sha2-384 prf hmac-sha2-512 prf hmac-sha1 auth hmac-sha2-256 auth 
hmac-sha2-384 auth hmac-sha2-512 auth hmac-sha1 group curve25519 group ecp521 
group ecp384 group ecp256 group modp4096 group modp3072 group modp2048 group 
modp1536 group modp1024 childsa enc aes-128-gcm enc aes-256-gcm group none esn 
noesn childsa enc aes-256 enc aes-192 enc aes-128 auth hmac-sha2-256 auth 
hmac-sha2-384 auth hmac-sha2-512 auth hmac-sha1 group none esn noesn srcid 
192.168.8.2 lifetime 10800 bytes 536870912 rsa config address 192.168.9.208 
config netmask 255.255.255.0 config name-server 192.168.1.222 config 
netbios-server 192.168.1.222
/etc/iked.conf: loaded 1 configuration rules
ca_privkey_serialize: type RSA_KEY length 1191
ca_pubkey_serialize: type RSA_KEY length 270
ca_privkey_to_method: type RSA_KEY method RSA_SIG
ca_getkey: received private key type RSA_KEY length 1191
config_getpolicy: received policy
ca_getkey: received public key type RSA_KEY length 270
ca_dispatch_parent: config reset
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getstatic: dpd_check_interval 60
config_getstatic: no enforcesingleikesa
config_getstatic: no fragmentation
config_getstatic: no mobike
config_getstatic: nattport 4500
config_getstatic: no stickyaddress
ca_reload: loaded ca file ca.crt
ca_reload: loaded crl file ca.crl
ca_reload: /C=CA/ST=State/L=City-Name/O=Ville de City-Name/OU=Department/CN=VPN 
CA/emailAddress=it@domain.local
ca_reload: loaded 1 ca certificate
ca_reload: loaded cert file 192.168.8.2.crt
ca_validate_cert: /C=CA/ST=State/L=City-Name/O=Ville de 
City-Name/OU=Department/CN=192.168.8.2/emailAddress=it@domain.local ok
ca_reload: local cert type X509_CERT
config_getocsp: ocsp_url none tolerate 0 maxage -1
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
policy_lookup: setting policy 'windows'
spi=0xd5f403b2c665646e: recv IKE_SA_INIT req 0 peer 192.168.1.109:500 local 
192.168.8.2:500, 528 bytes, policy 'windows'
ikev2_recv: ispi 0xd5f403b2c665646e rspi 0x
ikev2_policy2id: srcid IPV4/192.168.8.2 length 8
ikev2_pld_parse: header ispi 0xd5f403b2c665646e rspi 0x 
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 528 
response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 256
ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid IKE spisize 0 
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_sa: more 2 reserved 0 length 44 proposal #2 protoid IKE spisize 0 
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
i

playing bluray

[Moises Simon]

Greetings,

how can I play blurays on OpenBSD?

I have installed:
libaacs
libbdplus

But I get the following error when trying to play via vlc, mpv or with 
bd_splice;

aacs.c:121: No usable AACS libraries found!

I have downloaded KEYDB.cfg don't know if I need to do anything else.
Haven't found anything else on the internet about playing blurays with vlc.

dmesg below.

regards,

OpenBSD 6.9 (GENERIC.MP) #473: Mon Apr 19 10:40:28 MDT 2021
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 17084452864 (16293MB)
avail mem = 16551301120 (15784MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0x7ff15020 (9 entries)
bios0: vendor coreboot version "4.7-354-ged089376e3" date 02/16/2018
bios0: GIGABYTE GA-B75M-D3V
acpi0 at bios0: ACPI 4.0
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SSDT MCFG TCPA APIC HPET
acpi0: wakeup devices HDEF(S4) EHC1(S4) EHC2(S4) XHC_(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimcfg0 at acpi0
acpimcfg0: addr 0xf000, bus 0-63
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz, 3292.99 MHz, 06-3a-09
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,DEADLINE,XSAVE,AVX,F16C,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz, 3292.54 MHz, 06-3a-09
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,DEADLINE,XSAVE,AVX,F16C,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 1, core 0, package 0
cpu2 at mainbus0: apid 2 (application processor)
cpu2: Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz, 3292.54 MHz, 06-3a-09
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,DEADLINE,XSAVE,AVX,F16C,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 1, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz, 3292.54 MHz, 06-3a-09
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,DEADLINE,XSAVE,AVX,F16C,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 1, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 2 (RP01)
acpiprt2 at acpi0: bus -1 (RP02)
acpiprt3 at acpi0: bus -1 (RP03)
acpiprt4 at acpi0: bus -1 (RP04)
acpiprt5 at acpi0: bus 3 (RP05)
acpiprt6 at acpi0: bus -1 (RP06)
acpiprt7 at acpi0: bus -1 (RP07)
acpiprt8 at acpi0: bus -1 (RP08)
acpipci0 at acpi0 PCI0: 0x 0x0011 0x0001
acpicmos0 at acpi0
"BOOT" at acpi0 not configured
acpicpu0 at acpi0: C3 bad (state 4 has no substates): C2(500@63 mwait.1@0x10), 
C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0: C3 bad (state 4 has no substates): C2(500@63 mwait.1@0x10), 
C1(1000@1 mwait.1), PSS
acpicpu2 at acpi0: C3 bad (state 4 has no substates): C2(500@63 mwait.1@0x10), 
C1(1000@1 mwait.1), PSS
acpicpu3 at acpi0: C3 bad (state 4 has no substates): C2(500@63 mwait.1@0x10), 
C1(1000@1 mwait.1), PSS
acpivideo0 at acpi0: GFX0
acpivout0 at acpivideo0: LCD0
cpu0: using VERW MDS workaround (except on vmm entry)
cpu0: Enhanced SpeedStep 3292 MHz: speeds: 3300, 2800, 2400, 2000, 1600 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Core 3G Host" rev 0x09
ppb0 at pci0 dev 1 function 0 "Intel Core 3G PCIE" rev 0x09: msi
pci1 at ppb0 bus 1
em0 at pci1 dev 0 function 0 "Intel I210" rev 0x03: msi, address 
6c:b3:11:52:79:ed
inteldrm0 at pci0 dev 2 function 0 "Intel HD Graphics 2500" rev 0x09
drm0 at inteldrm0
inteldrm0: msi, IVYBRIDGE, gen 7
xhci0 at pci0 dev 20 function 0 "Intel 7 Series xHCI" rev 0x04: msi,

[www] faq17.html patch for possible typo

[Marfaba Stewart]

patch for http://www.openbsd.org/faq/faq17.html:

--- a/faq17.html2021-05-31 09:21:14.822788500 -0500
+++ b/faq17.html2021-05-31 09:22:01.375496403 -0500
@@ -323,7 +323,7 @@ ikev2 'roadwarrior' active esp \
 from dynamic to any \
 peer 192.0.2.1 \
 srcid roadwarrior \
-dstid server1.domain
+dstid server1.domain \
 request address any \
 iface vether0
 

Re: after upgrade to 6.9, iked does not pass traffic

[Leclerc, Sebastien]

> I'm not sure about that bge0 rule.  iked.conf(5) mentions ipencap only
> in the context of enc interfaces.
> You could try adding 'set skip on enc0' to find out if pf is the problem.

That rule has been the same for some years now, without problem. I tried
adding set skip on enc0, but the problem persists.

> If that doesn't help you could share the output of 'ipsecctl -sa' to find
> out if the IPsec SAs or flows are the problem.

That may be the problem, there is nothing between 192.168.1.109 and 
192.168.9.101 :
(192.168.8.2 is the firewall interface that 192.168.1.109 is connecting to,
192.168.9.101 is what the vpn client is trying to communicate with)

# ipsecctl -sa
FLOWS:
No flows

SAD:
esp tunnel from 192.168.8.2 to 192.168.1.109 spi 0x0e7b0e8b auth hmac-sha1 enc 
aes-256
esp tunnel from 192.168.1.109 to 192.168.8.2 spi 0x6830eab4 auth hmac-sha1 enc 
aes-256

Re: after upgrade to 6.9, iked does not pass traffic

[Tobias Heider]

On Mon, May 31, 2021 at 12:20:29PM +, Leclerc, Sebastien wrote:
> > I'm not sure about that bge0 rule.  iked.conf(5) mentions ipencap only
> > in the context of enc interfaces.
> > You could try adding 'set skip on enc0' to find out if pf is the problem.
> 
> That rule has been the same for some years now, without problem. I tried
> adding set skip on enc0, but the problem persists.
> 
> > If that doesn't help you could share the output of 'ipsecctl -sa' to find
> > out if the IPsec SAs or flows are the problem.
> 
> That may be the problem, there is nothing between 192.168.1.109 and 
> 192.168.9.101 :
> (192.168.8.2 is the firewall interface that 192.168.1.109 is connecting to,
> 192.168.9.101 is what the vpn client is trying to communicate with)
> 
> # ipsecctl -sa
> FLOWS:
> No flows
> 
> SAD:
> esp tunnel from 192.168.8.2 to 192.168.1.109 spi 0x0e7b0e8b auth hmac-sha1 
> enc aes-256
> esp tunnel from 192.168.1.109 to 192.168.8.2 spi 0x6830eab4 auth hmac-sha1 
> enc aes-256

Ok, so this seems to be the cause.  From your log snippet i can see that
there must have been SAs at some point because it shows an
"ikev2_childsa_enable" line.
Try running iked with -vv. Maybe the verbose log contains an error message
that helps us find out what's wrong.

Re: Pf tables and ruleset optimizations

[Bounlieng PITTIKOUN - ecedi]

passioncereales, fdhdp, icm, if.

afm et sidaction probablement aussi si ce sont des vms.
Après la faille concerne des versions spécifiques de composants vmware, je ne 
sais pas quelle version gère ces vms.


- On May 31, 2021, at 11:18 AM, Heinrich Rebehn heinrich.reb...@rebehn.net 
wrote:

>> On 31. May 2021, at 11:03, Otto Moerbeek > > wrote:
>> 
>> On Mon, May 31, 2021 at 10:32:56AM +0200, Heinrich Rebehn wrote:
>> 
>>> Hi list,
>>> 
>>> My /etc/pf.conf contains a table which is initialized from a file:
>>> 
>>> tablefile "/root/pf/tables/myservers”
>>> 
>>> This table ist not referred to in pf.conf, but in an anchor which is loaded
>>> later on.
>>> I found out that even when the anchor is loaded, the table does not exist.
>> 
>> See the "persist" keywoard in pf.conf.
>> 
>>  -Otto
> 
> Thanks, I should have known that. For some reason I figured that initializing
> from a file would include “persist”, but that is nonsense.
> 
> -Heinrich
> 
>> 
>>> 
>>> # pfctl -t myservers -T show
>>> pfctl: Table does not exist
>>> # pfctl -sT
>>> private
>>> rtun0
>>> rtun1
>>> trusted
>>> 
>>> If I load pf with "# pfctl -o none -f /etc/pf.conf", the table appears. If 
>>> I use
>>> 
>>> set ruleset-optimization none
>>> 
>>> it doesn’t.
>>> 
>>> Is this expected behavior?
>>> 
>>> Also rcctl(8) does not allow eating flags for pf
>>> 
>>> # rcctl set pf flags "-o none"
>>> rcctl: "pf" is a special variable, cannot "set flags”
>>> 
>>> Workaounds would be setting flag in /etc/rc.conf.local or adding "pfctl -o 
>>> none
>>> -f /etc/pf.conf” to rc.local
>>> 
>>> Any thoughts?
>>> 
> >> -Heinrich

Re: Pf tables and ruleset optimizations

[Heinrich Rebehn]

> On 31. May 2021, at 11:03, Otto Moerbeek  > wrote:
> 
> On Mon, May 31, 2021 at 10:32:56AM +0200, Heinrich Rebehn wrote:
> 
>> Hi list,
>> 
>> My /etc/pf.conf contains a table which is initialized from a file:
>> 
>> table file "/root/pf/tables/myservers”
>> 
>> This table ist not referred to in pf.conf, but in an anchor which is loaded 
>> later on.
>> I found out that even when the anchor is loaded, the table does not exist.
> 
> See the "persist" keywoard in pf.conf.
> 
>   -Otto

Thanks, I should have known that. For some reason I figured that initializing 
from a file would include “persist”, but that is nonsense.

-Heinrich

> 
>> 
>> # pfctl -t myservers -T show
>> pfctl: Table does not exist
>> # pfctl -sT
>> private
>> rtun0
>> rtun1
>> trusted
>> 
>> If I load pf with "# pfctl -o none -f /etc/pf.conf", the table appears. If I 
>> use
>> 
>> set ruleset-optimization none
>> 
>> it doesn’t.
>> 
>> Is this expected behavior?
>> 
>> Also rcctl(8) does not allow eating flags for pf
>> 
>> # rcctl set pf flags "-o none"
>> rcctl: "pf" is a special variable, cannot "set flags”
>> 
>> Workaounds would be setting flag in /etc/rc.conf.local or adding "pfctl -o 
>> none -f /etc/pf.conf” to rc.local
>> 
>> Any thoughts?
>> 
>> -Heinrich

Re: Pf tables and ruleset optimizations

[Otto Moerbeek]

On Mon, May 31, 2021 at 10:32:56AM +0200, Heinrich Rebehn wrote:

> Hi list,
> 
> My /etc/pf.conf contains a table which is initialized from a file:
> 
> table  file "/root/pf/tables/myservers”
> 
> This table ist not referred to in pf.conf, but in an anchor which is loaded 
> later on.
> I found out that even when the anchor is loaded, the table does not exist.

See the "persist" keywoard in pf.conf.

-Otto

> 
> # pfctl -t myservers -T show
> pfctl: Table does not exist
> # pfctl -sT
> private
> rtun0
> rtun1
> trusted
> 
> If I load pf with "# pfctl -o none -f /etc/pf.conf", the table appears. If I 
> use
> 
> set ruleset-optimization none
> 
> it doesn’t.
> 
> Is this expected behavior?
> 
> Also rcctl(8) does not allow eating flags for pf
> 
> # rcctl set pf flags "-o none"
> rcctl: "pf" is a special variable, cannot "set flags”
> 
> Workaounds would be setting flag in /etc/rc.conf.local or adding "pfctl -o 
> none -f /etc/pf.conf” to rc.local
> 
> Any thoughts?
> 
> -Heinrich
> 

Pf tables and ruleset optimizations

[Heinrich Rebehn]

Hi list,

My /etc/pf.conf contains a table which is initialized from a file:

tablefile "/root/pf/tables/myservers”

This table ist not referred to in pf.conf, but in an anchor which is loaded 
later on.
I found out that even when the anchor is loaded, the table does not exist.

# pfctl -t myservers -T show
pfctl: Table does not exist
# pfctl -sT
private
rtun0
rtun1
trusted

If I load pf with "# pfctl -o none -f /etc/pf.conf", the table appears. If I use

set ruleset-optimization none

it doesn’t.

Is this expected behavior?

Also rcctl(8) does not allow eating flags for pf

# rcctl set pf flags "-o none"
rcctl: "pf" is a special variable, cannot "set flags”

Workaounds would be setting flag in /etc/rc.conf.local or adding "pfctl -o none 
-f /etc/pf.conf” to rc.local

Any thoughts?

-Heinrich