Discussion:
Pf tables and ruleset optimizations
Heinrich Rebehn
2021-05-31 08:32:56 UTC
Permalink
Hi list,

My /etc/pf.conf contains a table which is initialized from a file:

table <myservers> file "/root/pf/tables/myservers”

This table ist not referred to in pf.conf, but in an anchor which is loaded later on.
I found out that even when the anchor is loaded, the table does not exist.

# pfctl -t myservers -T show
pfctl: Table does not exist
# pfctl -sT
private
rtun0
rtun1
trusted

If I load pf with "# pfctl -o none -f /etc/pf.conf", the table appears. If I use

set ruleset-optimization none

it doesn’t.

Is this expected behavior?

Also rcctl(8) does not allow eating flags for pf

# rcctl set pf flags "-o none"
rcctl: "pf" is a special variable, cannot "set flags”

Workaounds would be setting flag in /etc/rc.conf.local or adding "pfctl -o none -f /etc/pf.conf” to rc.local

Any thoughts?

-Heinrich
Otto Moerbeek
2021-05-31 09:03:44 UTC
Permalink
Post by Heinrich Rebehn
Hi list,
table <myservers> file "/root/pf/tables/myservers”
This table ist not referred to in pf.conf, but in an anchor which is loaded later on.
I found out that even when the anchor is loaded, the table does not exist.
See the "persist" keywoard in pf.conf.

-Otto
Post by Heinrich Rebehn
# pfctl -t myservers -T show
pfctl: Table does not exist
# pfctl -sT
private
rtun0
rtun1
trusted
If I load pf with "# pfctl -o none -f /etc/pf.conf", the table appears. If I use
set ruleset-optimization none
it doesn’t.
Is this expected behavior?
Also rcctl(8) does not allow eating flags for pf
# rcctl set pf flags "-o none"
rcctl: "pf" is a special variable, cannot "set flags”
Workaounds would be setting flag in /etc/rc.conf.local or adding "pfctl -o none -f /etc/pf.conf” to rc.local
Any thoughts?
-Heinrich
Heinrich Rebehn
2021-05-31 09:18:35 UTC
Permalink
Post by Otto Moerbeek
Post by Heinrich Rebehn
Hi list,
table <myservers> file "/root/pf/tables/myservers”
This table ist not referred to in pf.conf, but in an anchor which is loaded later on.
I found out that even when the anchor is loaded, the table does not exist.
See the "persist" keywoard in pf.conf.
-Otto
Thanks, I should have known that. For some reason I figured that initializing from a file would include “persist”, but that is nonsense.

-Heinrich
Post by Otto Moerbeek
Post by Heinrich Rebehn
# pfctl -t myservers -T show
pfctl: Table does not exist
# pfctl -sT
private
rtun0
rtun1
trusted
If I load pf with "# pfctl -o none -f /etc/pf.conf", the table appears. If I use
set ruleset-optimization none
it doesn’t.
Is this expected behavior?
Also rcctl(8) does not allow eating flags for pf
# rcctl set pf flags "-o none"
rcctl: "pf" is a special variable, cannot "set flags”
Workaounds would be setting flag in /etc/rc.conf.local or adding "pfctl -o none -f /etc/pf.conf” to rc.local
Any thoughts?
-Heinrich
Bounlieng PITTIKOUN - ecedi
2021-05-31 09:25:06 UTC
Permalink
passioncereales, fdhdp, icm, if.

afm et sidaction probablement aussi si ce sont des vms.
Après la faille concerne des versions spécifiques de composants vmware, je ne sais pas quelle version gère ces vms.
Post by Heinrich Rebehn
Post by Otto Moerbeek
Post by Heinrich Rebehn
Hi list,
table <myservers> file "/root/pf/tables/myservers”
This table ist not referred to in pf.conf, but in an anchor which is loaded later on.
I found out that even when the anchor is loaded, the table does not exist.
See the "persist" keywoard in pf.conf.
-Otto
Thanks, I should have known that. For some reason I figured that initializing
from a file would include “persist”, but that is nonsense.
-Heinrich
Post by Otto Moerbeek
Post by Heinrich Rebehn
# pfctl -t myservers -T show
pfctl: Table does not exist
# pfctl -sT
private
rtun0
rtun1
trusted
If I load pf with "# pfctl -o none -f /etc/pf.conf", the table appears. If I use
set ruleset-optimization none
it doesn’t.
Is this expected behavior?
Also rcctl(8) does not allow eating flags for pf
# rcctl set pf flags "-o none"
rcctl: "pf" is a special variable, cannot "set flags”
Workaounds would be setting flag in /etc/rc.conf.local or adding "pfctl -o none
-f /etc/pf.conf” to rc.local
Any thoughts?
-Heinrich
Loading...