Date: Mon, 17 Oct 2022 13:37:04 -0400 From: Matteo Riondato <matteo@freebsd.org> To: Kristof Provost <kp@freebsd.org> Cc: Bryan Drewery <bdrewery@freebsd.org>, src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org Subject: Re: git: cfa1a1308709 - main - pfctl: fix recrusive printing of ethernet anchors Message-ID: <20221017173704.d3mvikbc25to6snn@host-ubertino-mac-24f5a28a9493.wired.10net.amherst.edu> In-Reply-To: <55FAE484-FD9E-4652-AD1D-45FBF3501CE8@FreeBSD.org> References: <202209061119.286BJnOV024965@gitrepo.freebsd.org> <3fd7be3f-90b1-ae87-1b4e-8b183acf1a9c@FreeBSD.org> <46F2B94F-DBCB-4E55-8055-051393C900C8@FreeBSD.org> <55FAE484-FD9E-4652-AD1D-45FBF3501CE8@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--3z5x3gvgu5gdwbuf
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On 2022-10-07 at 06:13 EDT, Kristof Provost <kp@FreeBSD.org> wrote:
>>On 3 Oct 2022, at 18:13, Bryan Drewery wrote:=20
>>>I think there's still a problem here.
>>>
>>>pfctl -a '*' -sr works=20
>>>pfctl -a 'name/*' -sr does not.
>>>
>So I=E2=80=99ve looked at this a bit more, and I am now going to back away=
=20
>from the whole anchor thing, and try to pretend I didn=E2=80=99t see any o=
f=20
>the tentacled horrors that lurk within.
>
>To give you an idea of the issues, loading the following ruleset:
>
> anchor "foo" {
> anchor "bar" {
> pass in
> }
> }
>
>does exactly what you=E2=80=99d expect:
>
> # pfctl -sr -a "*"
> anchor "foo" all {
> anchor "bar" all {
> pass in all flags S/SA keep state
> }
> }
> # pfctl -sr -a "foo/*"
> anchor "bar" all {
> pass in all flags S/SA keep state
> }
>
>However, if we `pfctl -Fr` to flush all rules:
>
> # pfctl -Fr
> rules cleared
> # pfctl -sr -a "*"
> # pfctl -sr -a "foo/*"
> anchor "bar" all {
> pass in all flags S/SA keep state
> }
>
How is one supposed to know which rules are really loaded in this case?
Printing of rules with anchors being broken (I even get a segmentation=20
fault with 'pfctl -a "*" -sr -vv') makes debugging rulesets very hard.
Partially, the question I also have is: is printing of rules broken, or=20
is flushing of rules broken, or a third thing? =3D)
>Unloading pf to actually delete the bar anchor, and then we set:
>
> anchor =E2=80=9Cfoo=E2=80=9D
>
>And then
>
> # echo "pass" | pfctl -g -f - -a "foo/bar"
> # pfctl -sr -a "*"
> anchor "foo" all {
> }
> # pfctl -sr -a "foo/*"
> # pfctl -sr -a "foo/bar"
> pass all flags S/SA keep state
>
>There are a lot of issues there, and it=E2=80=99ll take a lot of time and=
=20
>effort to root them out. My plan is to drink heavily and attempt to=20
>forget.
>
>Kristof=20
Thanks,
Matteo
--3z5x3gvgu5gdwbuf
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQJHBAABCgAxFiEEa9uKZL0hP4E8Nl5vGwL9SVQlVQEFAmNNkrgTGGhrcHM6Ly9w
Z3AubWl0LmVkdQAKCRAbAv1JVCVVAdUnD/wIQ+g9C8ye975qheOrFT8udbg+gliJ
V+LmylW7XANIb6syXniEYkB1OcvWeKKfdHziKGwFWB5or4z+Ei6YHf7hBdQRUClD
gcdXZ2Wi55vblaV1sz8Dt9FLiIVe3g14tyD2JqOBAEDDxZTKW6cIqjMr1YUlESJN
JeTF+7QVZy/w/Qp0KNVGUd1doFZk/izLu/OGIFR4E5ToEBkjoyBB3Gox+OVm/IUC
XTVPecwVOrVlnCRPNt8bTM6556O6o/Unil+b/yywhvB8TczOr7nZJ4hZVxdCJ/MV
1U3r9uHJiNT0Aq5VwgBSuruUiIQcypB65Y2sNIvo4JoNQz/v9OqzU/duv5aqqCHa
3c8gAbdwq8kVz5uG/AnAPgv0mBAKUMz4GcL80C4XLiVJBgIdeGTEgTdJQQDNDtkK
McScFDhQ7hPOe5NRfaW+AIWX/pAESM/FGdslHK4jeLojV81GiL52wkysU4O0N33Q
FNOVkEc8rzWZO8EIAT6rim6vFHAmUmtpWdm1GCzn3GHSi5MPv3A6rwUgdFiOZQVA
uEo+jXafAdNwssYqvalzbuDThTl7NP24gU9D6ismA6K+etMRVJK6wdEvgfgdI2J/
Vr92OnBDWG5DlAhyzI1ScM5gmvHwXNl0O/e6FFKvJ6fIIWPYsDUd+B5DOu0/0EQk
zRfZ3ukEqVTIXA==
=P+75
-----END PGP SIGNATURE-----
--3z5x3gvgu5gdwbuf--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20221017173704.d3mvikbc25to6snn>