When using tables in pf (either manually created tables or automatic tables created from macros/rules), and those tables are only being used inside anchors, the tables are not loaded when running "pfctl -f". This causes some problems if especially if you are using macros for groups of addresses, and that group is converted to an automatic table. So the rule inside the anchor works when you only have a few addresses in the macro, but if you add a few more addresses, the rule would point to a table that's not loaded. I see the same behavior on 9.1-RELEASE. Example with manual table: # cat /etc/pf.conf table <test> { 10.0.0.1, 10.0.0.2, 10.0.0.3 } block in anchor "em0" on em0 { pass in from <test> } # pfctl -f /etc/pf.conf # pfctl -sr -a '*' block drop in all anchor "em0" on em0 all { pass in from <test> to any flags S/SA keep state } # pfctl -sT # pfctl -t test -T show pfctl: Table does not exist. # echo "pass in on em0 from <test>" >> /etc/pf.conf # cat /etc/pf.conf table <test> { 10.0.0.1, 10.0.0.2, 10.0.0.3 } block in anchor "em0" on em0 { pass in from <test> } pass in on em0 from <test> # pfctl -f /etc/pf.conf # pfctl -sT test # pfctl -t test -T show 10.0.0.1 10.0.0.2 10.0.0.3 Example with automatic table: # cat /etc/pf.conf block in anchor "em0" on em0 { pass in from { 10.10.10.1, 10.10.10.2, 10.10.10.3, 10.10.10.4, 10.10.10.5, 10.10.10.6 } } # pfctl -f /etc/pf.conf # pfctl -sr -a '*' block drop in all anchor "em0" on em0 all { pass in inet from <__automatic_13de2d31_0> to any flags S/SA keep state } # pfctl -sT # pfctl -t __automatic_13de2d31_0 -T show pfctl: Table does not exist. # echo "pass in on em0 from { 10.10.10.1, 10.10.10.2, 10.10.10.3, 10.10.10.4, 10.10.10.5, 10.10.10.6 }" >> /etc/pf.conf # pfctl -f /etc/pf.conf # pfctl -sr -a '*' block drop in all anchor "em0" on em0 all { pass in inet from <__automatic_178e79e_1> to any flags S/SA keep state } pass in on em0 inet from <__automatic_b3d57307_0> to any flags S/SA keep state # pfctl -sT __automatic_b3d57307_0
Responsible Changed From-To: freebsd-bugs->freebsd-pf Over to maintainer(s).
Created attachment 151017 [details] pf anchor generated table fix
Created attachment 151030 [details] pf inline anchor optimization fix Loads all generated tables into the ruleset (anchor) where the rules occur.
Created attachment 151074 [details] pf table reference count increment for root tables This places a rule reference count on root tables also, thus making them active. This solves the automatic tables's problem also, but maybe it is desirable to have automatic tables created in the correct ruleset.
Created attachment 151094 [details] pf table keep active flag conditions A more elegant way to solve previous problems: keep a table active when either it has PFR_TFLAG_REFDANCHOR set.
The OpenBSD team has just approved this patch.
Is there any updates regarding this report? OpenBSD has already accepted the patch.
batch change: For bugs that match the following - Status Is In progress AND - Untouched since 2018-01-01. AND - Affects Base System OR Documentation DO: Reset to open status. Note: I did a quick pass but if you are getting this email it might be worthwhile to double check to see if this bug ought to be closed.
This bug is still affecting 11.2 and 12.0 beta. I've tried proposed patch https://bugs.freebsd.org/bugzilla/attachment.cgi?id=151094 and it resolves the problem. It has been accepted by OpenBSD team more than three years ago as mentioned by comment 7 and comment 7.
A commit references this bug: Author: kp Date: Thu Nov 8 21:54:40 UTC 2018 New revision: 340265 URL: https://svnweb.freebsd.org/changeset/base/340265 Log: pf: Prevent tables referenced by rules in anchors from getting disabled. PR: 183198 Obtained from: OpenBSD MFC after: 2 weeks Changes: head/sys/netpfil/pf/pf_table.c
A commit references this bug: Author: kp Date: Thu Nov 8 21:56:06 UTC 2018 New revision: 340266 URL: https://svnweb.freebsd.org/changeset/base/340266 Log: pf tests: Test PR 183198 Create a table which is only used inside an anchor, ensure that the table exists. PR: 183198 MFC after: 2 weeks Changes: head/tests/sys/netpfil/pf/Makefile head/tests/sys/netpfil/pf/anchor.sh
A commit references this bug: Author: kp Date: Thu Nov 22 19:56:50 UTC 2018 New revision: 340775 URL: https://svnweb.freebsd.org/changeset/base/340775 Log: MFC r340265: pf: Prevent tables referenced by rules in anchors from getting disabled. PR: 183198 Obtained from: OpenBSD Changes: _U stable/12/ stable/12/sys/netpfil/pf/pf_table.c
A commit references this bug: Author: kp Date: Thu Nov 22 19:56:52 UTC 2018 New revision: 340776 URL: https://svnweb.freebsd.org/changeset/base/340776 Log: MFC r340265: pf: Prevent tables referenced by rules in anchors from getting disabled. PR: 183198 Obtained from: OpenBSD Changes: _U stable/11/ stable/11/sys/netpfil/pf/pf_table.c
A commit references this bug: Author: kp Date: Thu Nov 22 20:00:57 UTC 2018 New revision: 340780 URL: https://svnweb.freebsd.org/changeset/base/340780 Log: MFC r340266: pf tests: Test PR 183198 Create a table which is only used inside an anchor, ensure that the table exists. PR: 183198 Changes: _U stable/12/ stable/12/tests/sys/netpfil/pf/Makefile stable/12/tests/sys/netpfil/pf/anchor.sh
*** Bug 236221 has been marked as a duplicate of this bug. ***