Loading table data into pf at start-up

/etc/rc.d/pf will happily let you load a rules file into pf,
but 
unfortunately won't let you load table data if it doesn't
fit on a single 
line or if you want to store table data in other files for
any reason.

pfctl only allows one -f option, so creative use of pf_flags
won't help, 
so I added a configuration variable, pf_tables, and some
extra logic in 
pf_start() to handle it.

pf_tables is a space-separated list of action:table:file
tuples, eg: 
pf_tables="a:idiots4:/etc/pf.idiots4
a:idiots6:/etc/pf.idiots6"

For each tuple, my patched /etc/rc.d/pf runs:

pfctl -T <action> -t <table> -f <file>
$pf_flags

I tested that with /etc/rc.d/pf 1.3.2.2, and it works fine
under 
5.4-RELEASE-p14. If there's any interest, I can supply a
patch against 
1.3.2.2, or (if there's any interest) an untested patch
against 1.12 (no 
-HEAD running here, so I can't test it).

Suggestions/Comments/"Go file a PR" requests all
welcome.

(please cc me on list replies - I don't follow it
regularly)
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"

On Mon, May 29, 2006 at 03:37:58PM -0500, PauAmma wrote:
> /etc/rc.d/pf will happily let you load a rules file
into pf, but 
> unfortunately won't let you load table data if it
doesn't fit on a single 
> line or if you want to store table data in other files
for any reason.
> 
> pfctl only allows one -f option, so creative use of
pf_flags won't help, 
> so I added a configuration variable, pf_tables, and
some extra logic in 
> pf_start() to handle it.
> 
> pf_tables is a space-separated list of
action:table:file tuples, eg: 
> pf_tables="a:idiots4:/etc/pf.idiots4
a:idiots6:/etc/pf.idiots6"
what's the problem with a ruleset like
table <abuse_ssh> persist file
"/etc/pf-abuse_ssh"
table <goodguys> persist file
"/etc/goodguys"

i have this, and works jolly good.

so, what's the trouble with this?

Bye,

Gergely Czuczy
mailto: gergely.czuczyharmless.hu
PGP: http://phoemix
.harmless.hu/phoemix.pgp

Weenies test. Geniuses solve problems that arise.

On Monday 29 May 2006 22:37, PauAmma wrote:
> /etc/rc.d/pf will happily let you load a rules file
into pf, but
> unfortunately won't let you load table data if it
doesn't fit on a single
> line or if you want to store table data in other files
for any reason.

From pf.conf(5):
  table <spam> persist file
"/etc/spammers" file
"/etc/openrelays"

Too easy?

-- 
/"\  Best regards,                      | mlaierfreebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.l
ove2party.net/  | mlaierEFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail
and News

On Mon, 29 May 2006, Gergely CZUCZY wrote:

> what's the problem with a ruleset like
> table <abuse_ssh> persist file
"/etc/pf-abuse_ssh"
> table <goodguys> persist file
"/etc/goodguys"

Er, nothing wrong with it, only with me for failing to spot
it despite 
repeated readings of pf.conf(5) and eventually deciding to
reinvent the 
wheel. D'uh.

Thanks for pointing it out to me.
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"

On Mon, 29 May 2006, Max Laier wrote:

>
> From pf.conf(5):
>  table <spam> persist file
"/etc/spammers" file
"/etc/openrelays"
>
> Too easy?

Too obvious in the doc for me to spot, I guess. :-( *pries
foot from 
mouth, wipes egg off face*
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"