Date: Fri, 07 Oct 2022 11:13:48 +0100 From: Kristof Provost <kp@FreeBSD.org> To: Bryan Drewery <bdrewery@FreeBSD.org> Cc: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org, matteo@freebsd.org Subject: Re: git: cfa1a1308709 - main - pfctl: fix recrusive printing of ethernet anchors Message-ID: <55FAE484-FD9E-4652-AD1D-45FBF3501CE8@FreeBSD.org> In-Reply-To: <46F2B94F-DBCB-4E55-8055-051393C900C8@FreeBSD.org> References: <202209061119.286BJnOV024965@gitrepo.freebsd.org> <3fd7be3f-90b1-ae87-1b4e-8b183acf1a9c@FreeBSD.org> <46F2B94F-DBCB-4E55-8055-051393C900C8@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--=_MailMate_147620AD-E998-4965-86EC-EBA94BAC3B8A_=
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
> On 3 Oct 2022, at 18:13, Bryan Drewery wrote:
>> I think there's still a problem here.
>>
>> pfctl -a '*' -sr works
>> pfctl -a 'name/*' -sr does not.
>>
So I’ve looked at this a bit more, and I am now going to back away
from the whole anchor thing, and try to pretend I didn’t see any of
the tentacled horrors that lurk within.
To give you an idea of the issues, loading the following ruleset:
anchor "foo" {
anchor "bar" {
pass in
}
}
does exactly what you’d expect:
# pfctl -sr -a "*"
anchor "foo" all {
anchor "bar" all {
pass in all flags S/SA keep state
}
}
# pfctl -sr -a "foo/*"
anchor "bar" all {
pass in all flags S/SA keep state
}
However, if we `pfctl -Fr` to flush all rules:
# pfctl -Fr
rules cleared
# pfctl -sr -a "*"
# pfctl -sr -a "foo/*"
anchor "bar" all {
pass in all flags S/SA keep state
}
Unloading pf to actually delete the bar anchor, and then we set:
anchor “foo”
And then
# echo "pass" | pfctl -g -f - -a "foo/bar"
# pfctl -sr -a "*"
anchor "foo" all {
}
# pfctl -sr -a "foo/*"
# pfctl -sr -a "foo/bar"
pass all flags S/SA keep state
There are a lot of issues there, and it’ll take a lot of time and
effort to root them out. My plan is to drink heavily and attempt to
forget.
Kristof
--=_MailMate_147620AD-E998-4965-86EC-EBA94BAC3B8A_=
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE html>
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/xhtml; charset=3Dutf-8"=
>
</head>
<body><div style=3D"font-family: sans-serif;"><div class=3D"markdown" sty=
le=3D"white-space: normal;">
</div><div class=3D"plaintext" style=3D"white-space: normal;"><blockquote=
style=3D"margin: 0 0 5px; padding-left: 5px; border-left: 2px solid #136=
BCE; color: #136BCE;"><p dir=3D"auto">On 3 Oct 2022, at 18:13, Bryan Drew=
ery wrote:</p>
<blockquote style=3D"margin: 0 0 5px; padding-left: 5px; border-left: 2px=
solid #136BCE; border-left-color: #4B89CF; color: #4B89CF;"><p dir=3D"au=
to">I think there's still a problem here.</p>
<p dir=3D"auto">pfctl -a '*' -sr works
<br>
pfctl -a 'name/*' -sr does not.</p>
<br></blockquote></blockquote></div>
<div class=3D"markdown" style=3D"white-space: normal;">
<p dir=3D"auto">So I=E2=80=99ve looked at this a bit more, and I am now g=
oing to back away from the whole anchor thing, and try to pretend I didn=E2=
=80=99t see any of the tentacled horrors that lurk within.</p>
<p dir=3D"auto">To give you an idea of the issues, loading the following =
ruleset:</p>
<pre style=3D"margin-left: 15px; margin-right: 15px; padding: 5px; border=
: thin solid gray; overflow-x: auto; max-width: 90vw; background-color: #=
E4E4E4;"><code>anchor "foo" {
anchor "bar" {
pass in
}
}
</code></pre>
<p dir=3D"auto">does exactly what you=E2=80=99d expect:</p>
<pre style=3D"margin-left: 15px; margin-right: 15px; padding: 5px; border=
: thin solid gray; overflow-x: auto; max-width: 90vw; background-color: #=
E4E4E4;"><code># pfctl -sr -a "*"
anchor "foo" all {
anchor "bar" all {
pass in all flags S/SA keep state
}
}
# pfctl -sr -a "foo/*"
anchor "bar" all {
pass in all flags S/SA keep state
}
</code></pre>
<p dir=3D"auto">However, if we <code>pfctl -Fr</code> to flush all rules:=
</p>
<pre style=3D"margin-left: 15px; margin-right: 15px; padding: 5px; border=
: thin solid gray; overflow-x: auto; max-width: 90vw; background-color: #=
E4E4E4;"><code># pfctl -Fr
rules cleared
# pfctl -sr -a "*"
# pfctl -sr -a "foo/*"
anchor "bar" all {
pass in all flags S/SA keep state
}
</code></pre>
<p dir=3D"auto">Unloading pf to actually delete the bar anchor, and then =
we set:</p>
<pre style=3D"margin-left: 15px; margin-right: 15px; padding: 5px; border=
: thin solid gray; overflow-x: auto; max-width: 90vw; background-color: #=
E4E4E4;"><code>anchor =E2=80=9Cfoo=E2=80=9D
</code></pre>
<p dir=3D"auto">And then</p>
<pre style=3D"margin-left: 15px; margin-right: 15px; padding: 5px; border=
: thin solid gray; overflow-x: auto; max-width: 90vw; background-color: #=
E4E4E4;"><code># echo "pass" | pfctl -g -f - -a "foo/bar&q=
uot;
# pfctl -sr -a "*"
anchor "foo" all {
}
# pfctl -sr -a "foo/*"
# pfctl -sr -a "foo/bar"
pass all flags S/SA keep state
</code></pre>
<p dir=3D"auto">There are a lot of issues there, and it=E2=80=99ll take a=
lot of time and effort to root them out. My plan is to drink heavily and=
attempt to forget.</p>
<p dir=3D"auto">Kristof</p>
</div></div></body>
</html>
--=_MailMate_147620AD-E998-4965-86EC-EBA94BAC3B8A_=--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55FAE484-FD9E-4652-AD1D-45FBF3501CE8>