Date: Thu, 17 Mar 2022 17:39:43 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 262622] [pf][patch] fix showing rules in (some) nested anchors Message-ID: <bug-262622-227-5HxLaVpCvN@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-262622-227@https.bugs.freebsd.org/bugzilla/> References: <bug-262622-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D262622 --- Comment #7 from Matteo Riondato <matteo@FreeBSD.org> --- (In reply to Kristof Provost from comment #6) This fixes the issue I outline here (but my patch already did that, and it = is simpler: I don't think copying anchor_name is needed, as least for this specific issue). The issue in bug #262590 is a little subtler:=20 1) we don't recursively print rules in anchors included in pf.conf with a wildcard, for example, using "anchor blacklistd/*". Here is the output from "pfctl -a "*" -sr" with a pfctl patched with your patch: anchor "*" in on lagg0 all { pfctl: DIOCGETRULES: Invalid argument } Note that that "*" is wrong, it should be "blacklistd", but the assignment = of p around line 1250 of pfctl.c is too naive, as it should take into account the current values of path and of anchor_call before deciding what path/anchorn= ame to use next (indeed the error is due to pfctl_get_rules_info being called w= ith a path of "*") 2) we don't recursively print rules in other cases, but it is a little weird when it happens, as it only happens in some cases. For example (with pfctl patched with you patch): On one hand: # /usr/obj/usr/src/amd64.amd64/sbin/pfctl/pfctl -a "blacklistd/*" -sr # (no output) but there is a nested anchor "2200" under "blacklistd", and its rules shoul= d be printed by the above command. Indeed, if we try to print its rules directly= it works: # /usr/obj/usr/src/amd64.amd64/sbin/pfctl/pfctl -a "blacklistd/2200" -sr block drop in quick proto tcp from <port2200> to any port =3D 2200 # Although, it is really weird, because the following works: # /usr/obj/usr/src/amd64.amd64/sbin/pfctl/pfctl -a "test/*" -sr anchor "test2" all { block drop in proto udp from any to any port =3D 3999 } # In any case, the situation there is more complex than what is addressed with this patch, which is still needed independently. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-262622-227-5HxLaVpCvN>