Date: Fri, 18 Mar 2022 01:14:23 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 262590] [pf] Anchor "blacklistd/*" not correctly shown in pfctl -a \* -s rules Message-ID: <bug-262590-227-zshaXbf6mZ@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-262590-227@https.bugs.freebsd.org/bugzilla/> References: <bug-262590-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D262590 --- Comment #5 from Matteo Riondato <matteo@FreeBSD.org> --- Yes, all of these work now, but the following still doesn't work, which is = what I meant to highlight in this issue, but I did not explain myself well. 1) Create the following pf.conf: pass from any to any anchor "parent/*" block in proto tcp from any to any port 12345 2) Load the rules in this pf.conf:=20 # pfctl -f pf.conf 3) Notice how the rules are already not printed correctly: # pfctl -a \* -s rules pass all flags S/SA keep state anchor "*" all { pfctl: DIOCGETRULES: Invalid argument } block drop in proto tcp from any to any port =3D 12345 # 4) Now create the following file child.pf: block in proto udp from any to any port 23456 anchor child { block in proto icmp } block in proto tcp from any to any port 34567 5) Load the rules of child.pf into the "parent" rule: # pfctl -a parent -f child.pf 6) Notice how the rules are not printed correctly, with the "child" anchor = not even being mentioned, but also none of the rules inside the "parent" anchor= but outside of "child" pass all flags S/SA keep state anchor "*" all { pfctl: DIOCGETRULES: Invalid argument } block drop in proto tcp from any to any port =3D 12345 There are multiple issues here, but one of them is that the way the pointer= p is updatde around line 1250 of pfctl.c is not correct, and it is what is causing the use of "*" instead of "parent" as anchorname in the next recurs= ive call to pfctl_show_rules, and it is such use that causes the "DIOGETRULES: Invalid argument" error. Note that even fixing this specific issue about p would not be sufficient, because the next call would still not be able to p= rint "child" and the rules in it. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-262590-227-zshaXbf6mZ>