[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Anchors with tables



On Sat, 2005-03-26 at 17:56, Jason Dixon wrote:
> Looking at pf.conf (5), it claims that anchors can "hold rules, address 
> tables, and other anchors".  Unfortunately, neither the man page nor 
> the PF User's Guide give an example of using an anchor to hold address 
> tables.  I've tried this on 3.6 -release, and it does not appear to 
> work:
<--snip-->
> It appears that pfctl assumes that anchors only contain filter rules.  
> Have I stumbled over a bug in either pf.conf (5) or pfctl, or am I 
> doing/assuming something wrong?
dunno if this is a remotely useful response, but the snippets of file
you provided work fine here (on both 3.6-release and the latest
snapshot):
-release machine:
$ uname -a
OpenBSD obiwan 3.6 GENERIC#0 sparc64
-snapshot machine:
$ uname -a
OpenBSD snappy 3.7 GENERIC#50 i386
$ cat pf.conf
ext_if="fxp1"
int_if="fxp0"
pfsync_if="xl0"
anchor pf_labels_tables
load anchor pf_labels_tables from "pf_labels_tables.anchor"
$ cat pf_labels_tables.anchor
table <site1_in> { 10.0.0.101 }
table <site2_in> { 10.0.0.102 }
table <site3_in> { 10.0.0.103 }
table <site4_in> { 10.0.0.104 }
table <site5_in> { 10.0.0.105 }
table <site1_out> { 192.168.0.31 }
table <site2_out> { 192.168.0.32 }
table <site3_out> { 192.168.0.33 }
table <site4_out> { 192.168.0.34 }
table <site5_out> { 192.168.0.35 }
$ pfctl -vvnf pf.conf
Loaded 345 passive OS fingerprints
ext_if = "fxp1"
int_if = "fxp0"
pfsync_if = "xl0"
@0 anchor pf_labels_tables all
warning: macro 'ext_if' not used
warning: macro 'int_if' not used
warning: macro 'pfsync_if' not used
Loading anchor pf_labels_tables from pf_labels_tables.anchor
table <site1_in> { 10.0.0.101 }
table <site2_in> { 10.0.0.102 }
table <site3_in> { 10.0.0.103 }
table <site4_in> { 10.0.0.104 }
table <site5_in> { 10.0.0.105 }
table <site1_out> { 192.168.0.31 }
table <site2_out> { 192.168.0.32 }
table <site3_out> { 192.168.0.33 }
table <site4_out> { 192.168.0.34 }
table <site5_out> { 192.168.0.35 }
all output is from the -release machine, but the -snapshot output is
identical.
my guess is that there's something else going on in the part of the
pf.conf that we haven't seen.
-j
--
"I'm better than dirt. Well, most kinds of dirt... not that fancy
 store-bought dirt... that stuff's loaded with nutrients, I... I
 can't compete with that stuff."
	--The Simpsons