I found out PF's ruleset optimization spoils rule into anchor. It replaces list of addresses with autotable but doesn't create this one, so rule doesn't work. I tested with the following configs: # uname -a FreeBSD test 12.0-RELEASE FreeBSD 12.0-RELEASE r341666 GENERIC amd64 # cat /etc/pf.conf table <User2> persist { 10.10.12.49 } table <NatFrom> persist { 10.10.12.49/24 } nat on em0 from <NatFrom> to any -> { 192.168.170.199 } anchor user_profiles in on { em1 } { anchor User2 from <User2> { block quick log from <User2> to {87.250.250.242, 74.125.131.94, 4.2.2.2, 8.8.8.8, 217.69.139.202, 81.19.82.10} } } # cat /etc/rc.conf hostname="test" ifconfig_em0="inet 192.168.170.199 netmask 255.255.255.0" defaultrouter="192.168.170.254" ifconfig_em1="inet 10.10.12.1 netmask 255.255.255.0" sshd_enable="YES" dumpdev="NO" zfs_enable="YES" pf_enable="YES" gateway_enable="YES" You can see there is an autotable into the rule: # pfctl -a 'user_profiles/*' -sr anchor "User2" from <User2> to any { block drop log quick inet from <User2> to <__automatic_c789788_0> } But there isn't autotable at all: # pfctl -sTables NatFrom User2
Thanks for a good bug report. I strongly suspect this is already fixed in current and stable/12. See #183198. Can you test either current or stable/12 to confirm?
I've tested on stable/12. Configs are the same. # uname -a FreeBSD test 12.0-STABLE FreeBSD 12.0-STABLE r344651 GENERIC amd64 # pfctl -a 'user_profiles/*' -sr anchor "User2" from <User2> to any { block drop log quick inet from <User2> to <__automatic_53729464_0> } # pfctl -sTables NatFrom User2 __automatic_53729464_0 All is OK. Thanks!
Thanks for confirming. *** This bug has been marked as a duplicate of bug 183198 ***