Here: > Wiadomość napisana przez Klemens Nanni <[email protected]> w dniu 27.09.2018, > o godz. 15:19: > > What version are you running?
sorry, forgot mention: 6.3 -stable > > On Thu, Sep 27, 2018 at 02:06:44PM +0200, Zbyszek Żółkiewski wrote: >> At securelevel(7) set to 2, NAT rules and filter cannot be altered, however >> as stated in pfctl.conf(5) manual - it is possible to modify tables by >> adding/deleting entries >> (https://man.openbsd.org/pf.conf.5#TABLES) >> >> and this works fine. Question: why it is not possible to list content of >> tables?: >> n >> kern.securelevel=2 >> pfctl -t whitelist -T show >> pfctl: Operation not permitted. >> >> while: >> kern.securelevel=1 >> pfctl -t whitelist -T show >> 192.168.1.7 >> 192.168.1.20 >> 192.168.1.25 >> >> and more odd, adding -v flag allow list it anyway: >> >> pfctl -t whitelist -v -T show >> 192.168.1.7 >> Cleared: Thu Sep 27 13:47:58 2018 >> 192.168.1.20 >> Cleared: Thu Sep 27 13:47:58 2018 >> >> I am bit confused, this is bug or i am missing something ? > So am I. Did you add `-v' while securelevel was set to 2 or 1? it was set 2 > > Please provide a clear way to reproduce your scenario, possibly > including the table definitions from your pf.conf. pf.conf snippet: table <whitelist> persist file "/etc/pf/whitelist” counters whitelist contains list of IPs to reproduce: - at securelevel=1 - load pf.conf - file whitelist is populated with IP addresses - try to list table: pfctl -t whitelist -T show - will all work as expected - set securelevel=2 (sysctl kern.securelevel=2) - repeat command: pfctl -t whitelist -T show - this result in "Operation not permitted” - now try: pfctl -t whitelist -v -T show - this will result with printed table contents as well as some stats _ Zbyszek Żółkiewski
