[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: dynamically updating anchors via pfctl

On Sun, Jan 04, 2004 at 07:49:58PM +0100, Friso Seyferth wrote:
> is it correct that you have to reload the ruleset after adding a rule to 
> an anchor like this?
No, that shouldn't be required.
> it's the only way that it seems to work, just adding the rule without 
> reloading /flushing does nothing...
Run pfctl -vvsn and pfctl -a allownat -vvsn before reloading the nat
anchor, the reload it and open a connection that's supposed to match the
nat rule in the anchor. Then re-run pfctl -vvsn and pfct -a allownat
-vvsn. That will tell us whether evaluation counters increase as
expected. Is the evaluation counter of the nat-anchor allownat rule in
the main ruleset increasing, but the evaluation rule of the nat rule
within the anchor?
How do you deduce the new anchor rules 'don't work'? The nat rule is not
applied, even though it should match? And just reloading the main
ruleset causes the nat rule to be applied to the very same connection
once you reload the main ruleset?
Is pfctl -F all required in your workaround, or does just pfctl -N -f
/etc/pf.conf have the same effect, too? Note that changed rulesets
(including anchors) have no affect on established connections (existing
state entries), so if you need -F all (includes -F states, flushing
existing state entries), this might be just a misunderstanding.