[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[openbsd] pf меняет порядок правил

Приветствую!

Странность с pf: в pf.conf написан один порядок правил, а после загрузки
pfctl -sr показывает другой.

Пример. У меня на данный момент в pf.conf:
[...]
block in all
pass in quick on $ext_if proto tcp from any to ($ext_if) port ssh
pass out quick on $ext_if
pass in quick on $ext_if no state

pass in  quick on vlan609 from vlan609:network  to any                  no state
pass out quick on vlan609 from any              to vlan609:network      no state 
pass in  quick on vlan621 from 10.51.109.16/29  to any                  no state
pass out quick on vlan621 from any              to 10.51.109.16/29      no state queue to_Akim 
pass in  quick on vlan621 from 10.51.109.40/29  to any                  no state
pass out quick on vlan621 from any              to 10.51.109.40/29      no state queue to_Gonta
pass in  quick on vlan622 from vlan622:network  to any                  no state
pass out quick on vlan622 from any              to vlan622:network      no state 
pass in  quick on vlan664 from vlan664:network  to any                  no state
pass out quick on vlan664 from any              to vlan664:network      no state 
pass in  quick on vlan781 from vlan781:network  to any                  no state
pass out quick on vlan781 from any              to vlan781:network      no state
pass in  quick on vlan783 from vlan783:network  to any                  no state
pass out quick on vlan783 from any              to vlan783:network      no state

После загрузки:
# pfctl -sr
block drop in all
pass in quick on vlan2 proto tcp from any to (vlan2) port = ssh flags S/SA keep state (if-bound)
pass out quick on vlan2 all flags S/SA keep state (if-bound)
pass in quick on vlan609 inet from 10.51.9.0/24 to any no state
pass in quick on vlan621 inet from 10.51.109.16/29 to any no state
pass in quick on vlan2 all no state
pass out quick on vlan609 inet from any to 10.51.9.0/24 no state
pass out quick on vlan621 inet from any to 10.51.109.16/29 no state queue to_Akim
pass in quick on vlan621 inet from 10.51.109.40/29 to any no state
pass out quick on vlan621 inet from any to 10.51.109.40/29 no state queue to_Gonta
pass in quick on vlan622 inet from 10.51.109.0/28 to any no state
pass in quick on vlan622 inet from 10.51.109.56/29 to any no state
pass in quick on vlan781 inet from 10.53.31.0/25 to any no state
pass in quick on vlan781 inet from 10.53.31.128/25 to any no state
pass in quick on vlan664 inet from 10.52.14.0/24 to any no state
pass in quick on vlan783 inet from 10.53.33.0/24 to any no state
pass out quick on vlan622 inet from any to 10.51.109.0/28 no state
pass out quick on vlan622 inet from any to 10.51.109.56/29 no state
pass out quick on vlan781 inet from any to 10.53.31.0/25 no state
pass out quick on vlan781 inet from any to 10.53.31.128/25 no state
pass out quick on vlan664 inet from any to 10.52.14.0/24 no state
pass out quick on vlan783 inet from any to 10.53.33.0/24 no state

Никаких опций оптимизации в pf.conf нет, да и в man pf.conf ничего
про перестановку правил.
Это как так? 

-- 
MINO-RIPE

-- 
To unsubscribe send an e-mail to openbsd+unsubscribe@uaoug.org.ua
For retrieval in messages archive http://www.uaoug.org.ua/archive