Based on a conversation with Henning at BSDCon2017, the limitation is known as
well as the
reasons for its existence, but at this time there is no developer for whom the
pain of the limitation
has exceeded the expected pain of diving into this particular section of the
code.
On 21 Jun 2017 at 23:06, Alen Mistric wrote:
> Ouch, that´s a bummer. Has there been any attempts to try and
> resolve this matter?
>
>
> > 21. jun. 2017 kl. 04.40 skrev Jacob Leifman <jac...@bitwise.net>:
> >
> > On 20 Jun 2017 at 14:17, Alen Mistric wrote:
> >
> >> Howdy!
> >>
> >> I have a global table defined in pf.conf that I would like to use
> in
> >> both the main rule set and inside an anchor. However, I keep
> getting
> >> a namespace collision when I reload the configuration file. I
> can't
> >> quite figure out from reading the man pages if you're not
> supposed
> >> to use a global table inside an anchor or if I'm just doing it
> the
> >> wrong way. Any ideas?
> >
> > Unfortunately, this is a known limitation in current PF -- you can
> use global tables
> > in an anchor strictly in read-only mode. Any attempt to modify a
> table within an
> > anchor results in the creation of an anchor-local table with
> identical name which
> > also prevents any subsequent access to the global table.
> >
> >>
> >> table <bruteforce> persist
> >> block quick from <bruteforce>
> >>
> >> pass in proto tcp to port ssh modulate state \
> >> (max-src-conn-rate 5/3, overload <bruteforce> flush global)
> >>
> >> anchor "ftp" {
> >> pass in proto tcp to port ftp modulate state \
> >> (max-src-conn 2, overload <bruteforce> flush global )
> >> pass in proto tcp to port { 40000:50000 }
> >> pass out proto tcp to port ftp
> >> }
> >>
> >
> >
>
>
