Discussion:
`echo <something> | pfctl -mf -` overriding instead of modifying
(too old to reply)
Niklaas Baudet von Gersdorff
2016-05-18 07:24:09 UTC
Permalink
Note: crossposting in freebsd-questions and freebsd-pf

On a 10.3-RELEASE system, in my `/etc/pf.conf` I have the following lines:

ext_if="vtnet0"
...
rdr-anchor "jails/*" on $ext_if inet to $ext_if

In my `/etc/jail.conf` I have the following lines for some jail:

exec.poststart += "echo 'rdr pass on vtnet0 inet proto { udp tcp } to vtnet0 port domain -> $private_ip4' | pfctl -a 'jails/$name' -f -";
exec.poststart += "echo 'rdr pass on vtnet0 inet6 proto { udp tcp } to vtnet0 port domain -> $private_ip6' | pfctl -a 'jails/$name' -mf -";

Nonetheless, if I start the jail, only the inet6 rules will stay in the
appropriate anchor. The inet rules will be overridden.

Initially, I only used the `-f -` flags for pfctl (instead of `-mf -`) and
realised that making changes to the anchor overrides existing rules. So
I read pfctl(8) where it says

-m Merge in explicitly given options without resetting those
which are omitted. Allows single options to be modified without
disturbing the others:

# echo "set loginterface fxp0" | pfctl -mf -

So I thought that adding `-m` to the rule in the second `exec.poststart`
will include (instead of replace) the rules into the anchor. But this is
not the case. What am I doing wrong? Do I misunderstand `-m`?

Niklaas
Dewayne Geraghty
2016-05-18 07:46:57 UTC
Permalink
Niklaus,
Would you please reverse the order and advise? That is try:
exec.poststart += "echo 'rdr pass on vtnet0 inet6 proto { udp tcp } to
vtnet0 port domain -> $private_ip6' | pfctl -a 'jails/$name' -mf -";
exec.poststart += "echo 'rdr pass on vtnet0 inet proto { udp tcp } to
vtnet0 port domain -> $private_ip4' | pfctl -a 'jails/$name' -f -";

Regards, Dewayne.
Niklaas Baudet von Gersdorff
2016-05-18 08:23:32 UTC
Permalink
Post by Dewayne Geraghty
Niklaus,
exec.poststart += "echo 'rdr pass on vtnet0 inet6 proto { udp tcp } to
vtnet0 port domain -> $private_ip6' | pfctl -a 'jails/$name' -mf -";
exec.poststart += "echo 'rdr pass on vtnet0 inet proto { udp tcp } to
vtnet0 port domain -> $private_ip4' | pfctl -a 'jails/$name' -f -";
If I reverse th order, it is only the last redirect that is applied (in this
case inet). The same things happen if I use `-mf -` for the second entry in the
example above.

Niklaas
Niklaas Baudet von Gersdorff
2016-05-26 11:46:45 UTC
Permalink
Niklaas Baudet von Gersdorff [2016-05-18 09:24 +0200] :

[...]
Post by Niklaas Baudet von Gersdorff
Initially, I only used the `-f -` flags for pfctl (instead of `-mf -`) and
realised that making changes to the anchor overrides existing rules. So
I read pfctl(8) where it says
-m Merge in explicitly given options without resetting those
which are omitted. Allows single options to be modified without
# echo "set loginterface fxp0" | pfctl -mf -
So I thought that adding `-m` to the rule in the second `exec.poststart`
will include (instead of replace) the rules into the anchor. But this is
not the case. What am I doing wrong? Do I misunderstand `-m`?
I clearly misunderstood -m. It says that it merges "given *options*
without resetting those which are omitted" i.e., options and not rules.
No wonder that it's not working.

I will recheck pfctl(8) but I assume that there is no other way than
inserting the rules in questions in a one-liner -- or using different
anchors like jails/$name-ipv4 and jails/$name-ipv6.

Niklaas

Loading...