[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Anchors with tables



Looking at pf.conf (5), it claims that anchors can "hold rules, address tables, and other anchors". Unfortunately, neither the man page nor the PF User's Guide give an example of using an anchor to hold address tables. I've tried this on 3.6 -release, and it does not appear to work:

<snip /etc/pf.conf>
ext_if="fxp1"
int_if="fxp0"
pfsync_if="xl0"
anchor pf_labels_tables
load anchor pf_labels_tables from "/etc/pf_labels_tables.anchor"
</snip>

# cat /etc/pf_labels_tables.anchor
table <site1_in> { 10.0.0.101 }
table <site2_in> { 10.0.0.102 }
table <site3_in> { 10.0.0.103 }
table <site4_in> { 10.0.0.104 }
table <site5_in> { 10.0.0.105 }
table <site1_out> { 192.168.0.31 }
table <site2_out> { 192.168.0.32 }
table <site3_out> { 192.168.0.33 }
table <site4_out> { 192.168.0.34 }
table <site5_out> { 192.168.0.35 }

# pfctl -nf /etc/pf.conf
/etc/pf.conf:17: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:18: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:20: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:22: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:23: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:24: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:25: Rules must be in order: options, normalization, queueing, translation, filtering
/etc/pf.conf:26: Rules must be in order: options, normalization, queueing, translation, filtering


It appears that pfctl assumes that anchors only contain filter rules. Have I stumbled over a bug in either pf.conf (5) or pfctl, or am I doing/assuming something wrong?

Thanks,

--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net