[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [openbsd] pf меняет порядок правил
On Tue, Nov 03, 2009 at 03:50:26PM +0200, Gregory Edigarov wrote:
> On Tue, 3 Nov 2009 15:39:56 +0200
> Alexander Shikoff <minotaur@crete.org.ua> wrote:
>
> > Приветствую!
> >
> > Странность с pf: в pf.conf написан один порядок правил, а после
> > загрузки pfctl -sr показывает другой.
> >
> > Пример. У меня на данный момент в pf.conf:
> > [...]
> > block in all
> > pass in quick on $ext_if proto tcp from any to ($ext_if) port ssh
> > pass out quick on $ext_if
> > pass in quick on $ext_if no state
> >
> > pass in quick on vlan609 from vlan609:network to
> > any no state pass out quick on vlan609 from
> > any to vlan609:network no state pass in quick on
> > vlan621 from 10.51.109.16/29 to any no state pass
> > out quick on vlan621 from any to 10.51.109.16/29 no
> > state queue to_Akim pass in quick on vlan621 from 10.51.109.40/29
> > to any no state pass out quick on vlan621 from
> > any to 10.51.109.40/29 no state queue to_Gonta pass
> > in quick on vlan622 from vlan622:network to any no
> > state pass out quick on vlan622 from any to
> > vlan622:network no state pass in quick on vlan664 from
> > vlan664:network to any no state pass out quick on
> > vlan664 from any to vlan664:network no state pass
> > in quick on vlan781 from vlan781:network to any no
> > state pass out quick on vlan781 from any to
> > vlan781:network no state pass in quick on vlan783 from
> > vlan783:network to any no state pass out quick on
> > vlan783 from any to vlan783:network no state
> >
> > После загрузки:
> > # pfctl -sr
> > block drop in all
> > pass in quick on vlan2 proto tcp from any to (vlan2) port = ssh flags
> > S/SA keep state (if-bound) pass out quick on vlan2 all flags S/SA
> > keep state (if-bound) pass in quick on vlan609 inet from 10.51.9.0/24
> > to any no state pass in quick on vlan621 inet from 10.51.109.16/29 to
> > any no state pass in quick on vlan2 all no state
> > pass out quick on vlan609 inet from any to 10.51.9.0/24 no state
> > pass out quick on vlan621 inet from any to 10.51.109.16/29 no state
> > queue to_Akim pass in quick on vlan621 inet from 10.51.109.40/29 to
> > any no state pass out quick on vlan621 inet from any to
> > 10.51.109.40/29 no state queue to_Gonta pass in quick on vlan622 inet
> > from 10.51.109.0/28 to any no state pass in quick on vlan622 inet
> > from 10.51.109.56/29 to any no state pass in quick on vlan781 inet
> > from 10.53.31.0/25 to any no state pass in quick on vlan781 inet from
> > 10.53.31.128/25 to any no state pass in quick on vlan664 inet from
> > 10.52.14.0/24 to any no state pass in quick on vlan783 inet from
> > 10.53.33.0/24 to any no state pass out quick on vlan622 inet from any
> > to 10.51.109.0/28 no state pass out quick on vlan622 inet from any to
> > 10.51.109.56/29 no state pass out quick on vlan781 inet from any to
> > 10.53.31.0/25 no state pass out quick on vlan781 inet from any to
> > 10.53.31.128/25 no state pass out quick on vlan664 inet from any to
> > 10.52.14.0/24 no state pass out quick on vlan783 inet from any to
> > 10.53.33.0/24 no state
> >
> > Никаких опций оптимизации в pf.conf нет, да и в man pf.conf ничего
> > про перестановку правил.
> > Это как так?
>
> set ruleset-optimization none?
> может, что-то и поменялось и теперь оптимизация включена по дефолту?
> надо проверить. это -current?
Ой, спасибо. Я чего-то подумал, что оно none по умолчанию.
Видимо перепутал с просто optimization.
--
MINO-RIPE
--
To unsubscribe send an e-mail to openbsd+unsubscribe@uaoug.org.ua
For retrieval in messages archive http://www.uaoug.org.ua/archive