|
List Info Thread: Re: pfctl -i
[1]
|
||||||||||||
|
about | contact Other archives ( Real Estate discussion Medical topics ) |
||||||||||||
Re: pfctl -i |
|
List Info Thread: Re: pfctl -i
[1]
|
||||||||||||
|
about | contact Other archives ( Real Estate discussion Medical topics ) |
||||||||||||
detalem.cq.hk> wrote:
>>> pfctl man page says:
>>>
>>> -i interface
>>> Restrict the operation to the
given interface.
>>>
>>> ..what exactly is meant under the word
"operation" ?
>> This would be one of those things that is obvious
once you've seen an example
>> and thought about it for a while.
>>
>> $sudo pfctl -si |grep -A1 State
>> State Table Total
Rate
>> current entries 34056
>> $sudo pfctl -i vlan170 -ss |wc -l
>> 1172
>
> So -i only works in combination with -s ? If so, i
think it should be
> mentioned
> in the man page.
I have not tested this but what happens if you try to load
the following
rule set with the pfctl -i lo1 -f rules
pass on lo0 all
block on lo1 all
If the output of 'pfctl -srules' shows both rules then the
-i flag has
no effect on the operation of the -f flag.
Tom
>
>> In this case, only show states bound to the vlan170
interface.
>>
>>> My problem: I want to load a different ruleset
for each interface
>>> ( jails ) and not care about what's in the
ruleset as long as it doesn't
>>> affect anything outside the jail ( which is
bound to a specific ip on a
>>> seperate interface )
>> You probably want to look into anchors.
>
> While I can use an anchor to limit to the interface,
it's an rather ugly
> hack.
> Care to show an elegant solution how to anchor
unspecified number of
> user rules?
>
> I could just as well pass over the supplied ruleset
with an perl script
> that skips
> any rules not starting with pass/block in/out on
jail_interface.
>
> pfctl -i & -f combo would've been great for this
purpose.
>
> _______________________________________________
> freebsd-pf