From owner-freebsd-pf@FreeBSD.ORG Thu Aug 16 00:07:18 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 40E9B16A41B for ; Thu, 16 Aug 2007 00:07:18 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from smtp804.mail.ird.yahoo.com (smtp804.mail.ird.yahoo.com [217.146.188.64]) by mx1.freebsd.org (Postfix) with SMTP id ADEC613C461 for ; Thu, 16 Aug 2007 00:07:17 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: (qmail 44001 invoked from network); 16 Aug 2007 00:07:16 -0000 Received: from unknown (HELO ?192.168.1.2?) (thomasjudge@btinternet.com@86.140.28.215 with plain) by smtp804.mail.ird.yahoo.com with SMTP; 16 Aug 2007 00:07:16 -0000 X-YMail-OSG: ONiOFdEVM1mTWk5MaEc7m_U.7HvdHM49WO03.IVhcWhU0fdl3.UulTIldKp5eDQh8SLpVWS2jA4J0sMu.037I0wbSXqy3EReIA-- Message-ID: <46C3A3E0.7090601@tomjudge.com> Date: Thu, 16 Aug 2007 02:09:52 +0100 From: Tom Judge User-Agent: Thunderbird 1.5.0.12 (X11/20070604) MIME-Version: 1.0 To: Toomas Pelberg References: <1187128008.64655.9.camel@detalem.kicks-ass.net> <8eea04080708141713w2e485fe2t49ff909304561fb5@mail.gmail.com> <1187142514.64859.55.camel@detalem.kicks-ass.net> In-Reply-To: <1187142514.64859.55.camel@detalem.kicks-ass.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: pfctl -i X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Aug 2007 00:07:18 -0000 Toomas Pelberg wrote: > On Tue, 2007-08-14 at 17:13 -0700, Jon Simola wrote: >> On 8/14/07, Toomas Pelberg wrote: >>> pfctl man page says: >>> >>> -i interface >>> Restrict the operation to the given interface. >>> >>> ..what exactly is meant under the word "operation" ? >> This would be one of those things that is obvious once you've seen an example >> and thought about it for a while. >> >> $sudo pfctl -si |grep -A1 State >> State Table Total Rate >> current entries 34056 >> $sudo pfctl -i vlan170 -ss |wc -l >> 1172 > > So -i only works in combination with -s ? If so, i think it should be > mentioned > in the man page. I have not tested this but what happens if you try to load the following rule set with the pfctl -i lo1 -f rules pass on lo0 all block on lo1 all If the output of 'pfctl -srules' shows both rules then the -i flag has no effect on the operation of the -f flag. Tom > >> In this case, only show states bound to the vlan170 interface. >> >>> My problem: I want to load a different ruleset for each interface >>> ( jails ) and not care about what's in the ruleset as long as it doesn't >>> affect anything outside the jail ( which is bound to a specific ip on a >>> seperate interface ) >> You probably want to look into anchors. > > While I can use an anchor to limit to the interface, it's an rather ugly > hack. > Care to show an elegant solution how to anchor unspecified number of > user rules? > > I could just as well pass over the supplied ruleset with an perl script > that skips > any rules not starting with pass/block in/out on jail_interface. > > pfctl -i & -f combo would've been great for this purpose. > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"