Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 18 May 2016 09:24:09 +0200
From:      Niklaas Baudet von Gersdorff <stdin@niklaas.eu>
To:        freebsd-questions@freebsd.org, freebsd-pf@freebsd.org
Subject:   `echo <something> | pfctl -mf -` overriding instead of modifying
Message-ID:  <20160518072409.GD99839@box-fra-01.niklaas.eu>

Next in thread | Raw E-Mail | Index | Archive | Help
Note: crossposting in freebsd-questions and freebsd-pf

On a 10.3-RELEASE system, in my `/etc/pf.conf` I have the following lines:

	ext_if="vtnet0"
	...
    rdr-anchor "jails/*" on $ext_if inet to $ext_if

In my `/etc/jail.conf` I have the following lines for some jail:

    exec.poststart += "echo 'rdr pass on vtnet0 inet  proto { udp tcp } to vtnet0 port domain ->   $private_ip4' | pfctl -a 'jails/$name' -f -";
    exec.poststart += "echo 'rdr pass on vtnet0 inet6 proto { udp tcp } to vtnet0 port domain ->   $private_ip6' | pfctl -a 'jails/$name' -mf -";

Nonetheless, if I start the jail, only the inet6 rules will stay in the
appropriate anchor. The inet rules will be overridden.

Initially, I only used the `-f -` flags for pfctl (instead of `-mf -`) and
realised that making changes to the anchor overrides existing rules. So
I read pfctl(8) where it says

     -m      Merge in explicitly given options without resetting those
     which are omitted.  Allows single options to be modified without
     disturbing the others:

        # echo "set loginterface fxp0" | pfctl -mf -

So I thought that adding `-m` to the rule in the second `exec.poststart`
will include (instead of replace) the rules into the anchor. But this is
not the case. What am I doing wrong? Do I misunderstand `-m`?
    
    Niklaas



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20160518072409.GD99839>