dynamicly adding labels/rules

Max Laier max at love2party.net
Wed Mar 7 17:02:07 UTC 2007 

On Wednesday 07 March 2007 11:05, Frans Haarman wrote:
> I am also having some troubles with labels, it seems I can't add more
> then
> one label per anchor rule!
>
> DEVEL# pfctl -qa tun0-rules -s l
> 10.200.2 35 0 0
>
> DEVEL# echo 'pass in from any to 10.200.4.0/24 label "10.200.4"' |
> pfctl -qa tun0-rules -f -
> DEVEL# pfctl -qa tun0-rules -s l
> 10.200.4 15 0 0
>
> DEVEL# echo 'pass in from any to 10.200.2.0/24 label "10.200.2"' |
> pfctl -qa tun0-rules -f -
> DEVEL# pfctl -qa tun0-rules -s l
> 10.200.2 14 0 0

The problem is that you don't add to the anchor as you seem to belive, you 
*replace* the ruleset in the anchor.  I think you also want to use 
the "name/*" syntax to be able to add more than one ruleset to the anchor 
point.  Then you can issue commands like:

DEVEL# echo 'pass in from any to 10.200.2.0/24 label "10.200.2"' | 
pfctl -qa tun0-rules/10.200.2 -f -
DEVEL# echo 'pass in from any to 10.200.3.0/24 label "10.200.3"' | 
pfctl -qa tun0-rules/10.200.3 -f -
DEVEL# pfctl -vsA
tun0-rules
tun0-rules/10.200.2
tun0-rules/10.200.3
DEVEL# pfctl -qa tun0-rules/10.200.2 -s l
10.200.2 14 0 0
DEVEL# pfctl -qa tun0-rules/10.200.3 -s l
10.200.3 14 0 0

> DEVEL# uname -a
> FreeBSD DEVEL 6.1-RELEASE FreeBSD 6.1-RELEASE #0: Sun May  7 04:42:56
> UTC 2006     root at opus.cse.buffalo.edu:/usr/obj/usr/src/sys/SMP  i386
>
> So the label gets overwritten. Is this normal/expected behaviour ?

No, the *ruleset* is overwritten.  And: Yes, this is expected behavior.  
Anchors work exactly like the main ruleset.

echo "pass all" | pfctl -f-
echo "block all" | pfctl -f-
pfctl -vsr
...

No different from:
echo "pass all" | pfctl -a foo -f-
echo "block all" | pfctl -a foo -f-
pfctl -a foo -vsr
...

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20070307/4beada74/attachment.pgp

More information about the freebsd-pf mailing list