From nobody@FreeBSD.org  Tue Oct 22 11:15:19 2013
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
	(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by hub.freebsd.org (Postfix) with ESMTP id F375575D
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 22 Oct 2013 11:15:18 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from oldred.freebsd.org (oldred.freebsd.org [8.8.178.121])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.freebsd.org (Postfix) with ESMTPS id C76B72201
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 22 Oct 2013 11:15:18 +0000 (UTC)
Received: from oldred.freebsd.org ([127.0.1.6])
	by oldred.freebsd.org (8.14.5/8.14.7) with ESMTP id r9MBFIAY088406
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 22 Oct 2013 11:15:18 GMT
	(envelope-from nobody@oldred.freebsd.org)
Received: (from nobody@localhost)
	by oldred.freebsd.org (8.14.5/8.14.5/Submit) id r9MBFIb4088403;
	Tue, 22 Oct 2013 11:15:18 GMT
	(envelope-from nobody)
Message-Id: <201310221115.r9MBFIb4088403@oldred.freebsd.org>
Date: Tue, 22 Oct 2013 11:15:18 GMT
From: Ole Myhre <ole@dataoppdrag.no>
To: freebsd-gnats-submit@FreeBSD.org
Subject: pf tables not loaded if only used inside anchor
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         183198
>Category:       kern
>Synopsis:       [pf] pf tables not loaded if only used inside anchor
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-pf
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Oct 22 11:20:00 UTC 2013
>Closed-Date:    
>Last-Modified:  Wed Apr 16 00:57:53 UTC 2014
>Originator:     Ole Myhre
>Release:        10.0-BETA1
>Organization:
>Environment:
FreeBSD fw 10.0-BETA1 FreeBSD 10.0-BETA1 #0 r256420: Sun Oct 13 01:43:07 UTC 2013     root@snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64
>Description:
When using tables in pf (either manually created tables or automatic
tables created from macros/rules), and those tables are only being used
inside anchors, the tables are not loaded when running "pfctl -f".

This causes some problems if especially if you are using macros for
groups of addresses, and that group is converted to an automatic table.
So the rule inside the anchor works when you only have a few addresses
in the macro, but if you add a few more addresses, the rule would point
to a table that's not loaded.

I see the same behavior on 9.1-RELEASE.

Example with manual table:

# cat /etc/pf.conf
table <test> { 10.0.0.1, 10.0.0.2, 10.0.0.3 }

block in

anchor "em0" on em0 {
 pass in from <test>
}
# pfctl -f /etc/pf.conf
# pfctl -sr -a '*'
block drop in all
anchor "em0" on em0 all {
  pass in from <test> to any flags S/SA keep state
}
# pfctl -sT
# pfctl -t test -T show
pfctl: Table does not exist.

# echo "pass in on em0 from <test>" >> /etc/pf.conf
# cat /etc/pf.conf
table <test> { 10.0.0.1, 10.0.0.2, 10.0.0.3 }

block in

anchor "em0" on em0 {
 pass in from <test>
}
pass in on em0 from <test>

# pfctl -f /etc/pf.conf
# pfctl -sT
test
# pfctl -t test -T show
   10.0.0.1
   10.0.0.2
   10.0.0.3


Example with automatic table:

# cat /etc/pf.conf
block in

anchor "em0" on em0 {
 pass in from { 10.10.10.1, 10.10.10.2, 10.10.10.3, 10.10.10.4, 10.10.10.5, 10.10.10.6 }
}
# pfctl -f /etc/pf.conf
# pfctl -sr -a '*'
block drop in all
anchor "em0" on em0 all {
  pass in inet from <__automatic_13de2d31_0> to any flags S/SA keep state
}
# pfctl -sT
# pfctl -t __automatic_13de2d31_0 -T show
pfctl: Table does not exist.
# echo "pass in on em0 from { 10.10.10.1, 10.10.10.2, 10.10.10.3, 10.10.10.4, 10.10.10.5, 10.10.10.6 }" >> /etc/pf.conf
# pfctl -f /etc/pf.conf
# pfctl -sr -a '*'
block drop in all
anchor "em0" on em0 all {
  pass in inet from <__automatic_178e79e_1> to any flags S/SA keep state
}
pass in on em0 inet from <__automatic_b3d57307_0> to any flags S/SA keep state
# pfctl -sT
__automatic_b3d57307_0

>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-pf 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Wed Apr 16 00:57:19 UTC 2014 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=183198 
>Unformatted:
