Re: Am I missed something or loading of tables from pf.conf broken?

Sat, 25 Oct 2008 01:42:32 -0700 

On 25 October 2008 G. 12:08:18 Stuart Henderson wrote:
> On 2008-10-24, Vadim Zhukov <[EMAIL PROTECTED]> wrote:
> >>  -T load       Load only the table definitions from pf.conf(5).
> >>                This is used in conjunction with the -f flag, as
> >>                in:
> >>
> >>                      # pfctl -Tl -f pf.conf
> >
> > Console session (same result on another PC with older customized
> > kernel):
> >
> > /etc$ dmesg | head -2
> > OpenBSD 4.4-current (GENERIC.MP) #890: Tue Sep 30 19:36:22 MDT 2008
> >
> > [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP
> > /etc$ sudo fgrep '<xx>' pf.conf
> > table <xx> { 1.2.3.4, 2.3.4.5 }
> > /etc$ sudo pfctl -T load -f pf.conf && echo OK
> > OK
> > /etc$ sudo pfctl -t xx -T show
> > pfctl: Table does not exist.
> > /etc$
> >
> > "const" modifier doesn't help either. Loading rules file without
> > "-Tl" doesn't help too - altough it works at system startup. "-vv"
> > doesn't give any clues I have no 4.3 or older machine now, so I
> > cannot check if this is something "fresh". :(
> >
> > Ignoring the fact that I'll update this PC to fresh snapshot in a
> > week, can anyone at least verify that he does (not) see the same
> > behavior there? Or does I miss something obvious?
>
> I see that behaviour if the table is not referenced in a rule (whether
> or not it's marked const, whether or not the optimizer is enabled).
> And it does correctly get marked const ("c" flag in -sT -v).
>
> $ echo 'table <zz> const {1.2.3.4}' | sudo pfctl -f -
> $ sudo pfctl -sT
> $ echo 'table <zz> const {1.2.3.4}' | sudo pfctl -f - -o none
> $ sudo pfctl -sT
> $ echo 'table <zz> const {1.2.3.4}\npass to <zz>' | sudo pfctl -f -
> $ sudo pfctl -sT -v
> c-a-r-- zz
> $ sudo pfctl -F T
> 1 tables deleted.
> $ echo 'table <zz> const {1.2.3.4}\npass to <zz>' | sudo pfctl -Tl -f
> - $ sudo pfctl -sT -v
> c-a-r-- zz
> $ sysctl kern.version
> kern.version=OpenBSD 4.4-current (GENERIC) #1115: Tue Oct 21 15:52:47
> MDT 2008
> [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC

Sorry, I was stupid. :( "persist" keyword saves the Earth! Anyway,
somehow your reply made me think of it, so thanks. :)

(My problem was that I defined table in pf.conf and used it only in
authpf rules files).

--
  Best wishes,
    Vadim Zhukov

Reply via email to