From owner-freebsd-pf@freebsd.org Tue Sep 8 17:46:56 2015 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CFA56A00662 for ; Tue, 8 Sep 2015 17:46:56 +0000 (UTC) (envelope-from 482254ac@razorfever.net) Received: from ironport2-out.teksavvy.com (ironport2-out.teksavvy.com [206.248.154.181]) by mx1.freebsd.org (Postfix) with ESMTP id 8457019B8; Tue, 8 Sep 2015 17:46:56 +0000 (UTC) (envelope-from 482254ac@razorfever.net) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0DTBgA731xV/0StpUVcghV7AVODfK41AQUGhBCPQYYGgT49EAEBAQEBAQGBCoRMBBEeDxMBNQIFFgsCCwMCAQIBJzEIAQGIKKsMpCMggSGEdYopHYJSgUUBBJJwkm+NYIFFI2GBJgMcgW4igngBAQE X-IPAS-Result: A0DTBgA731xV/0StpUVcghV7AVODfK41AQUGhBCPQYYGgT49EAEBAQEBAQGBCoRMBBEeDxMBNQIFFgsCCwMCAQIBJzEIAQGIKKsMpCMggSGEdYopHYJSgUUBBJJwkm+NYIFFI2GBJgMcgW4igngBAQE X-IronPort-AV: E=Sophos;i="5.13,465,1427774400"; d="scan'208";a="162923089" Received: from 69-165-173-68.dsl.teksavvy.com (HELO mail.razorfever.net) ([69.165.173.68]) by ironport2-out.teksavvy.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 08 Sep 2015 13:45:47 -0400 Received: from [127.0.0.1] (mail.razorfever.net [192.168.0.4]) by mail.razorfever.net (8.14.9/8.14.9) with ESMTP id t88Hjk2v022092; Tue, 8 Sep 2015 13:45:46 -0400 (EDT) (envelope-from 482254ac@razorfever.net) To: freebsd-pf@freebsd.org From: "Derek (freebsd lists)" <482254ac@razorfever.net> Subject: pf, rdr, & anchors - broken or PEBKAC Message-ID: <55EF1ECA.3080508@razorfever.net> Date: Tue, 8 Sep 2015 13:45:46 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Sep 2015 17:46:56 -0000 Hi! I'm trying to configure a basic layer-3 load balancer (10.2-RELEASE). I initially started down this path with relayd from ports, as it seems to do what I need, very succinctly. What I've stumbled upon - I hope - is me not knowing how to cause rdr statements in anchors to be evaluated, although it appears that this functionality is currently broken. Take this contrived, most-trivial example (where 192.168.0.1 is external, and 10.2.2.251 is internal): /etc/pf.conf: rdr inet proto tcp from any to 192.168.0.1 port http -> 10.2.2.251 sudo pfctl -Fa -f /etc/pf.conf *everything works as expected* Now, this time using anchors: sudo mv /etc/pf.conf /etc/pf.conf-anchor /etc/pf.conf: anchor testing load anchor testing from "/etc/pf.conf-anchor" sudo pfctl -Fa -f /etc/pf.conf gives TCP RSTs when connecting to port 80. Additionally sudo pfctl -a testing -vvs nat: @0 rdr inet proto tcp from any to 192.168.0.1 port = http -> 10.2.2.251 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 56764 State Creations: 0 ] So identical rulesets, one loaded as an anchor: never evaluated, the other loaded into the main ruleset directly: works fine. Is this broken, or am I missing something? Thanks! Derek