Tables and Persistency ...
-
Hey guys,
I created an Alias and referenced it to my filter rules, which in turn creates a Table that I can manipulate using
e.g. "/sbin/pfctl -t TABLENAME -T add IPADDR".Unfortunately, the table seems to be flushed almost every 10 to 15 minutes - the contents vanish and
it is reset to the IP address I put in there when I created the alias. So basically the table "recovers" its original content regularly, purging all modifications I did to it using pfctl.I also thought that maybe the built-ins like "bogons" or "snort2c" might be more persistent, but I can't reference them directly in the ruleset, which isn't helping either.
Is there some feature or issue I miss that might provide me with a more "persistent" table that I can use in a ruleset and modify using pfctl at the same time?
Thanks for your help <3
Daniel
-
Hello
When you reload the rules, PFSense deletes all the contents of the tables , and creates the tables again . And adds the contents of the aliases. Everything you added dynamically using pfctl is lost .I ran into such a problem and did so
I wrote a small program that saves the contents of the tables to a file, and after reloading the rules restores the contents of the tableI added 2 lines to the file /etc/rc.filter_configure_sync
to automate this processexec("/usr/local/tmp/table_manager -b"); filter_configure_sync(); exec("/usr/local/tmp/table_manager -r ");
-b - backup table
-r - restore tableNov 16 19:10:49 171 ip addresses successfully saved to file /usr/local/tmp/dns_parser/db/hbo.db Nov 16 19:10:49 26 ip addresses successfully saved to file /usr/local/tmp/dns_parser/db/mos.db Nov 16 19:10:49 11 ip addresses successfully saved to file /usr/local/tmp/dns_parser/db/molotov.db Nov 16 19:10:52 Found file /usr/local/tmp/dns_parser/db/hbo.db, restore table hbo_ip Nov 16 19:10:52 Successfully restored 170 ip-addresses Nov 16 19:10:52 Found file /usr/local/tmp/dns_parser/db/mos.db, restore table mos_ip Nov 16 19:10:52 Successfully restored 25 ip-addresses Nov 16 19:10:52 Found file /usr/local/tmp/dns_parser/db/molotov.db, restore table molotov_ip Nov 16 19:10:52 Successfully restored 10 ip-addresses
or you can install the shellcmd package
and configure the system so that it runs the desired script after reloading the rules -
Thanks for your help, I really appreciate that.
Scripting a workaround is something I considered, but I thought there might be "the right way" to do it - given that you hint me at your solution I guess there is not ;-)
I will look into your solution <3
Thank you! -
My solution is a program written in C that uses the PF ioctl interface
https://www.freebsd.org/cgi/man.cgi?query=pf&apropos=0&sektion=0&manpath=FreeBSD+12.1-RELEASE+and+Ports&arch=default&format=html
To restore the table
DIOCRADDADDRS Add one or more addresses to a table.
To back up a table
DIOCRGETADDRS Get all the addresses of a table.
-
Nice :) I'll have a look at that, since it's probably better than the pfctl approach, performance-wise ..