On Wed, Jun 2, 2010 at 10:48 AM, James Records <[email protected]>wrote:
> Hi All,
>
> Having an issue with anchors and tables again, I had this same issue a
> couple of years ago in 4.5 but never got any response, hoping someone can
> shed some light onto what I'm missing here, or if this is even supported,
> I'm trying to use an overload rule inside of an anchor to populate a table
> defined outside of all anchors. I haven't seen anything that specifically
> says this isn't supported, but if thats the case I'd like to get it
> clarified. Here are snippets of pf.conf that don't work, and one that does,
> and an explanation of why I can't just use the one that does work without
> side effects.
>
> Thanks in advance,
>
> J
>
>
>
> Doesn't work:
>
> ##############
> #### Tables ###
> ##############
> table <blocked_sites> persist
>
> #####################
> #### Blocked Sites ####
> #####################
> anchor "Blocked_Sites" {
> block in quick from <blocked_sites> to any
> }
>
> ##############
> ### TEST_IN ###
> ##############
> anchor "TEST_IN" {
> pass in log quick on em0 inet proto tcp \
> from any to <TEST_IN_dst> \
> port { 443 } keep state \
> (max 100, source-track rule, max-src-nodes 10, max-src-states 20,
> max-src-conn 20, max-src-conn-rate 2/15, overload <blocked_sites> flush)
> }
>
>
> But remove the anchor from the overload rule and it works fine:
>
> ###############
> #### Tables ####
> ###############
> table <blocked_sites> persist
>
> #####################
> #### Blocked Sites ####
> #####################
> anchor "Blocked_Sites" {
> block in quick from <blocked_sites> to any
> }
>
> ###############
> ### TEST_IN ###
> ###############
> #anchor "TEST_IN" {
> pass in log quick on em0 inet proto tcp \
> from any to <TEST_IN_dst> \
> port { 443 } keep state \
> (max 100, source-track rule, max-src-nodes 10, max-src-states 20,
> max-src-conn 20, max-src-conn-rate 2/15, overload <blocked_sites> flush)
> #}
>
> This would be simple enough but I want to be able to parse my logs using
> the anchor names, this isn't possible using the 2nd method.
>
> The docs say this should just work from everything I can tell, I can "read"
> from a global table from within an anchor but am failing to "write" to it
> from within an anchor using the overload rule
>
Just an update, I've done some more digging, it seems like I'm running into
an issue where its creating a new table inside the anchor, I'm thinking this
is just a bug where the table gets created because it doesn't look outside
of the anchor to see if one already exists, but I just want to get another
pair of eyes to confirm.
Thanks
J
pfctl -vvs Tables
-pa--h- blocked_sites
Addresses: 0
Cleared: Wed Jun 2 06:10:20 2010
References: [ Anchors: 3 Rules: 0 ]
Evaluations: [ NoMatch: 162 Match: 0 ]
In/Block: [ Packets: 0 Bytes: 0 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
In/XPass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 0 Bytes: 0 ]
Out/XPass: [ Packets: 0 Bytes: 0 ]
$ pfctl -a "TEST_IN" -vvs Tables
--a-r-- blocked_sites TEST_IN
Addresses: 1
Cleared: Wed Jun 2 01:55:11 2010
References: [ Anchors: 0 Rules: 5 ]
Evaluations: [ NoMatch: 114 Match: 69 ]
In/Block: [ Packets: 69 Bytes: 6732 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
In/XPass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 0 Bytes: 0 ]
Out/XPass: [ Packets: 0 Bytes: 0 ]
