On 20 Jun 2017 at 14:17, Alen Mistric wrote: > Howdy! > > I have a global table defined in pf.conf that I would like to use in > both the main rule set and inside an anchor. However, I keep getting > a namespace collision when I reload the configuration file. I can't > quite figure out from reading the man pages if you're not supposed > to use a global table inside an anchor or if I'm just doing it the > wrong way. Any ideas?
Unfortunately, this is a known limitation in current PF -- you can use global tables in an anchor strictly in read-only mode. Any attempt to modify a table within an anchor results in the creation of an anchor-local table with identical name which also prevents any subsequent access to the global table. > > table <bruteforce> persist > block quick from <bruteforce> > > pass in proto tcp to port ssh modulate state \ > (max-src-conn-rate 5/3, overload <bruteforce> flush global) > > anchor "ftp" { > pass in proto tcp to port ftp modulate state \ > (max-src-conn 2, overload <bruteforce> flush global ) > pass in proto tcp to port { 40000:50000 } > pass out proto tcp to port ftp > } >