Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 26 Aug 2019 17:36:43 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 240130] Adding a pf anchor containing a "/" defines the anchor incorrectly
Message-ID:  <bug-240130-227@https.bugs.freebsd.org/bugzilla/>

next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D240130

            Bug ID: 240130
           Summary: Adding a pf anchor containing a "/" defines the anchor
                    incorrectly
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: freebsd@tim.thechases.com

tl;dr: Simple reduced example
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D

  $ echo 'anchor "blacklistd/*"' | pfctl -nvf -

on OpenBSD, this outputs what I'd expect:

  anchor "blacklistd/*" all

however on FreeBSD (tried 12-RELEASE-p10 here, and got corroboration from
"Evilham" on IRC for 13.0-CURRENT), this outputs

  anchor "/*" all

where the anchor name has been stripped out. The "/" seems to cause the iss=
ue
since the following all produce the results I expect (whether useful, sensi=
ble,=20
or not):

  $ echo 'anchor "blacklistd"' | pfctl -nvf -
  $ echo 'anchor "blacklistd*"' | pfctl -nvf -
  $ echo 'anchor "*"' | pfctl -nvf -


Longer details/backstory:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Was trying to figure out why blacklistd wasn't populating the anchor proper=
ly
with blocking rules. After a morning of troubleshooting, determined that
blacklistd was correctly interacting with sshd, and
/usr/libexec/blacklistd-helper was getting as far as invoking `pfctl` with =
the
(AFAIK) correct parameters, but pf didn't seem to have the anchor in place.=
  I
tracked it down to the lack of a "blacklistd/*" anchor existing.  So I
experimented with my pf.conf file stripping it down to the bare essentials =
of
just a "scrub in all" and that one 'anchor "blacklistd"' entry, only to see
that loading the pf.conf file still listed the only anchor as "/*" not
"blacklistd/*".

kevins91 on #freebsd in IRC said to create a PR and to CC kp@ so here it is.

--=20
You are receiving this mail because:
You are the assignee for the bug.=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-240130-227>