From nobody Thu Jul 20 19:38:23 2023 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4R6NK93qZqz4njR9 for ; Thu, 20 Jul 2023 19:38:37 +0000 (UTC) (envelope-from ddobrev85@gmail.com) Received: from mail-yw1-x1133.google.com (mail-yw1-x1133.google.com [IPv6:2607:f8b0:4864:20::1133]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4R6NK80DwLz4JrK for ; Thu, 20 Jul 2023 19:38:36 +0000 (UTC) (envelope-from ddobrev85@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20221208 header.b=OS5TrmOO; spf=pass (mx1.freebsd.org: domain of ddobrev85@gmail.com designates 2607:f8b0:4864:20::1133 as permitted sender) smtp.mailfrom=ddobrev85@gmail.com; dmarc=pass (policy=none) header.from=gmail.com Received: by mail-yw1-x1133.google.com with SMTP id 00721157ae682-5838c63968cso1594397b3.0 for ; Thu, 20 Jul 2023 12:38:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1689881914; x=1690486714; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=jgapXfLtBkqt3dKZEDJ48gmBWeWmus/BpYCFK/iiB7o=; b=OS5TrmOOlyebSe7loIcqdG4a6V2Evs/ac8uf7ZfDmHgjxJMRfUbEtbbxWLLnHTzbSF uzNNed1wjJDk3KeFwVa4fqDVasb65xrAberk6LVLW/yrscSZ1LkjySnx+Bw77Ok2BPbg rHUjlBcmnVYqFgXj/CN1a339iW9mAG2IX1x2a95nHULcGnEWlbVbg1cRscqBVotb9eNJ r7GSd9mp+GAFrRrWgvWm9XDB02LHTkvAJ3iucL3vB1GzMHTNihSy30IuYM83yngOqkA1 0qbpxY1j+KeuCkbRgTXLgrM+hFg6hkQQFY+1Hk64RklKiADDwKypd42DFKLMvDRtnERg cZjA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689881914; x=1690486714; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=jgapXfLtBkqt3dKZEDJ48gmBWeWmus/BpYCFK/iiB7o=; b=AoDCnIKG5Je9whh0zdd00wyWAqREwGlHE1eQy8j7b8Aj/SYjTEMsKPL2p7bCVcQsVF hxiy+iB3CdE2TtRdy1h/u1bVbYGyXF2wCQFBomqbdXPF7d6tvURtcCHd45DQtprs29ZI 9BFLvZoJDpQFtU5fR2PEtmw5tXa4qkfANWREuWLlBLPgZuaCfga13GzRjehABu68h2xl /Dg0eYAmovQu6BDDaGA/wwtUd/eGpjK9cX/mmokxfXTl3kH50V1veYGZy4DjQ5lk+6p6 5ToayWAc0wU6+9s4bIQLUYqMxOzofxduuOBsWniO0YD5DRtPq1JjRH6otct5spRZw9Gs RFDQ== X-Gm-Message-State: ABy/qLaJ3qsHuLmi3j3A/lTcM04s5b92RrrXV3xfiZs46GDhRKjtzkiz gGsBL14k2lwV5rRahu95mu80kCmY2GeQOD5mdJsXI9JSRrE= X-Google-Smtp-Source: APBJJlGdn6r5Nv5F74z3LZDBu4absc7JIEQ1rJX6y2p9h1WCgYbNtSBk4SMzZaiswo7N/xb6cFY7L6zDmvgCKATAA+k= X-Received: by 2002:a0d:e212:0:b0:56d:9e2:7d9e with SMTP id l18-20020a0de212000000b0056d09e27d9emr49041ywe.21.1689881914508; Thu, 20 Jul 2023 12:38:34 -0700 (PDT) List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 From: Dobri Dobrev Date: Thu, 20 Jul 2023 22:38:23 +0300 Message-ID: Subject: Overloading to different tables To: freebsd-pf@freebsd.org Content-Type: multipart/alternative; boundary="0000000000003a0a530600f04b34" X-Spamd-Result: default: False [-3.91 / 15.00]; NEURAL_HAM_SHORT(-1.00)[-0.998]; NEURAL_HAM_LONG(-0.99)[-0.993]; NEURAL_HAM_MEDIUM(-0.92)[-0.923]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20221208]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; BLOCKLISTDE_FAIL(0.00)[2607:f8b0:4864:20::1133:server fail]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::1133:from]; RCPT_COUNT_ONE(0.00)[1]; FREEMAIL_FROM(0.00)[gmail.com]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; MLMMJ_DEST(0.00)[freebsd-pf@freebsd.org]; DKIM_TRACE(0.00)[gmail.com:+]; MID_RHS_MATCH_FROMTLD(0.00)[]; TO_DN_NONE(0.00)[]; ARC_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RCVD_COUNT_TWO(0.00)[2] X-Rspamd-Queue-Id: 4R6NK80DwLz4JrK X-Spamd-Bar: --- --0000000000003a0a530600f04b34 Content-Type: text/plain; charset="UTF-8" Hey guys... Trying to overload to 2 different tables based on conditions, however, pf always matches the bottom rule, nomatter what I try. pass in on ix0 proto tcp from any to XXX.XXX.XX.XX port 2222 tag CONNRATE label "connrate" flags S/SA keep state (source-track rule, max-src-conn-rate 4/1 overload flush global, src.track 1) pass in on ix0 proto tcp from any to XXX.XXX.XX.XX port 2222 tag MAXCONN label "maxconn" flags S/SA keep state (source-track rule, max-src-conn 10, overload flush global, src.track 1) The idea is to be able to separate IPs that do more than allowed connections in table 1, and IPs that do more than allowed conn-rate in table 2. Problem is - only the 2nd rule is matching.. LABEL COUNTERS: connrate 40113 0 0 0 0 0 0 0 <- first rule maxconn 5042 24972 9794870 12239 1789101 12733 8005769 1123 I've tried doing a "match" rule instead of pass, in that case the difference is - the last 3 values are empty (more notably the last one since it creates the state) LABEL COUNTERS: connrate 6205 1688 98156 1688 98156 0 0 0 maxconn 6205 1688 98156 1688 98156 0 0 0 Tried doing match + pass with overload of tagged "X", that also resulted in the last rule being the one that creates state (and does overload to table) Any ideas on how to do what I'm trying? The idea is: 1. to allow a max of 100 connections and if the IP does more than that - to be placed in the "limit_maxconn" table. 2. to set a connection-rate limit and any IP that overreaches it - to be placed in the "limit_connrate" table. Is there a way to achieve this? Regards, D --0000000000003a0a530600f04b34 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hey guys...

Trying to overload to 2 different tabl= es based on conditions, however, pf always matches the bottom rule, nomatte= r what I try.

pass in on ix0 proto tcp from any to XXX.XXX.XX.XX por= t 2222 tag CONNRATE label "connrate" flags S/SA keep state (sourc= e-track rule, max-src-conn-rate 4/1 overload <limit_connrate> flush g= lobal, src.track 1)
pass in on ix0 proto tcp from any to XXX.XXX.XX.XX p= ort 2222 tag MAXCONN label "maxconn" flags S/SA keep state (sourc= e-track rule, max-src-conn 10, overload <limit_maxconn> flush global,= src.track 1)

The idea is to be able to separate IPs that do more th= an allowed connections in table 1, and IPs that do more than allowed conn-r= ate in table 2.
Problem is - only the 2nd rule is matching..
LABEL CO= UNTERS:
connrate 40113 0 0 0 0 0 0 0 <- first rule
maxconn 5042 24= 972 9794870 12239 1789101 12733 8005769 1123

I've tried doing a = "match" rule instead of pass, in that case the difference is - th= e last 3 values are empty (more notably the last one since it creates the s= tate)
LABEL COUNTERS:
connrate 6205 1688 98156 1688 98156 0 0 0
ma= xconn 6205 1688 98156 1688 98156 0 0 0

Tried doing match + pass with= overload of tagged "X", that also resulted in the last rule bein= g the one that creates state (and does overload to table)

Any ideas = on how to do what I'm trying?
The idea is:
1. to allow a max of 1= 00 connections and if the IP does more than that - to be placed in the &quo= t;limit_maxconn" table.
2. to set a connection-rate limit and any I= P that overreaches it - to be placed in the "limit_connrate" tabl= e.

Is there a way to achieve this?

Regards,
D
--0000000000003a0a530600f04b34--