Date: Tue, 22 Oct 2013 11:15:18 GMT From: Ole Myhre <ole@dataoppdrag.no> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/183198: pf tables not loaded if only used inside anchor Message-ID: <201310221115.r9MBFIb4088403@oldred.freebsd.org> Resent-Message-ID: <201310221120.r9MBK0k6069303@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 183198
>Category: kern
>Synopsis: pf tables not loaded if only used inside anchor
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Oct 22 11:20:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator: Ole Myhre
>Release: 10.0-BETA1
>Organization:
>Environment:
FreeBSD fw 10.0-BETA1 FreeBSD 10.0-BETA1 #0 r256420: Sun Oct 13 01:43:07 UTC 2013 root@snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64
>Description:
When using tables in pf (either manually created tables or automatic tables created from macros/rules), and those tables are only being used inside anchors, the tables are not loaded when running "pfctl -f".
This causes some problems if especially if you are using macros for groups of addresses, and that group is converted to an automatic table. So the rule inside the anchor works when you only have a few addresses in the macro, but if you add a few more addresses, the rule would point to a table that's not loaded.
I see the same behavior on 9.1-RELEASE.
Example with manual table:
# cat /etc/pf.conf
table <test> { 10.0.0.1, 10.0.0.2, 10.0.0.3 }
block in
anchor "em0" on em0 {
pass in from <test>
}
# pfctl -f /etc/pf.conf
# pfctl -sr -a '*'
block drop in all
anchor "em0" on em0 all {
pass in from <test> to any flags S/SA keep state
}
# pfctl -sT
# pfctl -t test -T show
pfctl: Table does not exist.
# echo "pass in on em0 from <test>" >> /etc/pf.conf
# cat /etc/pf.conf
table <test> { 10.0.0.1, 10.0.0.2, 10.0.0.3 }
block in
anchor "em0" on em0 {
pass in from <test>
}
pass in on em0 from <test>
# pfctl -f /etc/pf.conf
# pfctl -sT
test
# pfctl -t test -T show
10.0.0.1
10.0.0.2
10.0.0.3
Example with automatic table:
# cat /etc/pf.conf
block in
anchor "em0" on em0 {
pass in from { 10.10.10.1, 10.10.10.2, 10.10.10.3, 10.10.10.4, 10.10.10.5, 10.10.10.6 }
}
# pfctl -f /etc/pf.conf
# pfctl -sr -a '*'
block drop in all
anchor "em0" on em0 all {
pass in inet from <__automatic_13de2d31_0> to any flags S/SA keep state
}
# pfctl -sT
# pfctl -t __automatic_13de2d31_0 -T show
pfctl: Table does not exist.
# echo "pass in on em0 from { 10.10.10.1, 10.10.10.2, 10.10.10.3, 10.10.10.4, 10.10.10.5, 10.10.10.6 }" >> /etc/pf.conf
# pfctl -f /etc/pf.conf
# pfctl -sr -a '*'
block drop in all
anchor "em0" on em0 all {
pass in inet from <__automatic_178e79e_1> to any flags S/SA keep state
}
pass in on em0 inet from <__automatic_b3d57307_0> to any flags S/SA keep state
# pfctl -sT
__automatic_b3d57307_0
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201310221115.r9MBFIb4088403>