From owner-freebsd-pf@freebsd.org Tue Sep 8 17:55:51 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4D29AA00B87 for ; Tue, 8 Sep 2015 17:55:51 +0000 (UTC) (envelope-from ncrogers@gmail.com) Received: from mail-yk0-x235.google.com (mail-yk0-x235.google.com [IPv6:2607:f8b0:4002:c07::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1021F1477 for ; Tue, 8 Sep 2015 17:55:51 +0000 (UTC) (envelope-from ncrogers@gmail.com) Received: by ykdg206 with SMTP id g206so130510612ykd.1 for ; Tue, 08 Sep 2015 10:55:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=c0c/2vIyd42HhmQoFFweXKN3q3b0P2yasObgPgqCnuI=; b=caE7XnI1Wayj4BVytWOdnzhTsleAYWBGpjvsnP0SFaQCmpX8KPcuU+M5b7gQzPHACU BwQcly3zL2uLRii4DGjPNJZcSdmQt1kbWc2YFudLLQAgpxj6L2lrRDvevxN35gnxN9Ab Du6uQ5P1B8fPHjuTkNe9EI0WXmx0+yAPANP9N3OpryjL0y2FqHc7PdSVsIeoeRRSOpqX 8lvRkDDoCUioGDeFE8hxPl7VYITt/hVCyYmNj+y4AO1IZ4iAVghzjJ2uUJh1D50/Kldm VmCy8iI7hxTx5UY1pc1uZB/remJqMGJaUvjARlM/AqrRf5e2kxJBrvY3mphJP3c8KQg4 hoPQ== MIME-Version: 1.0 X-Received: by 10.13.254.4 with SMTP id o4mr31354926ywf.88.1441734950258; Tue, 08 Sep 2015 10:55:50 -0700 (PDT) Received: by 10.37.110.67 with HTTP; Tue, 8 Sep 2015 10:55:50 -0700 (PDT) In-Reply-To: <55EF1ECA.3080508@razorfever.net> References: <55EF1ECA.3080508@razorfever.net> Date: Tue, 8 Sep 2015 10:55:50 -0700 Message-ID: Subject: Re: pf, rdr, & anchors - broken or PEBKAC From: Nick Rogers To: "Derek (freebsd lists)" <482254ac@razorfever.net> Cc: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Sep 2015 17:55:51 -0000 On Tue, Sep 8, 2015 at 10:45 AM, Derek (freebsd lists) < 482254ac@razorfever.net> wrote: > Hi! > > I'm trying to configure a basic layer-3 load balancer (10.2-RELEASE). I > initially started down this path with relayd from ports, as it seems to do > what I need, very succinctly. > > What I've stumbled upon - I hope - is me not knowing how to cause rdr > statements in anchors to be evaluated, although it appears that this > functionality is currently broken. > > Take this contrived, most-trivial example (where 192.168.0.1 is external, > and 10.2.2.251 is internal): > > /etc/pf.conf: > rdr inet proto tcp from any to 192.168.0.1 port http -> 10.2.2.251 > > sudo pfctl -Fa -f /etc/pf.conf > > *everything works as expected* > > Now, this time using anchors: > > sudo mv /etc/pf.conf /etc/pf.conf-anchor > > /etc/pf.conf: > anchor testing > rdr rules must be in a "rdr-anchor". "anchor" is for filter rules. load anchor testing from "/etc/pf.conf-anchor" > > sudo pfctl -Fa -f /etc/pf.conf > > gives TCP RSTs when connecting to port 80. Additionally > > sudo pfctl -a testing -vvs nat: > @0 rdr inet proto tcp from any to 192.168.0.1 port = http -> 10.2.2.251 > [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] > [ Inserted: uid 0 pid 56764 State Creations: 0 ] > > > So identical rulesets, one loaded as an anchor: never evaluated, the other > loaded into the main ruleset directly: works fine. > > Is this broken, or am I missing something? > > Thanks! > Derek > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >