Date: Tue, 18 Oct 2022 10:44:32 +0200 From: Kristof Provost <kp@FreeBSD.org> To: Matteo Riondato <matteo@freebsd.org> Cc: Bryan Drewery <bdrewery@freebsd.org>, src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org Subject: Re: git: cfa1a1308709 - main - pfctl: fix recrusive printing of ethernet anchors Message-ID: <9B65580C-2959-4A01-8386-65E5AA596FC2@FreeBSD.org> In-Reply-To: <20221017173704.d3mvikbc25to6snn@host-ubertino-mac-24f5a28a9493.wired.10net.amherst.edu> References: <202209061119.286BJnOV024965@gitrepo.freebsd.org> <3fd7be3f-90b1-ae87-1b4e-8b183acf1a9c@FreeBSD.org> <46F2B94F-DBCB-4E55-8055-051393C900C8@FreeBSD.org> <55FAE484-FD9E-4652-AD1D-45FBF3501CE8@FreeBSD.org> <20221017173704.d3mvikbc25to6snn@host-ubertino-mac-24f5a28a9493.wired.10net.amherst.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
--=_MailMate_2B1CB56D-64E4-4500-ADF1-D33BA8E3C1E0_=
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
On 17 Oct 2022, at 19:37, Matteo Riondato wrote:
> On 2022-10-07 at 06:13 EDT, Kristof Provost <kp@FreeBSD.org> wrote:
>>> On 3 Oct 2022, at 18:13, Bryan Drewery wrote:
>>>> I think there's still a problem here.
>>>>
>>>> pfctl -a '*' -sr works pfctl -a 'name/*' -sr does not.
>>>>
>> So I’ve looked at this a bit more, and I am now going to back away
>> from the whole anchor thing, and try to pretend I didn’t see any of
>> the tentacled horrors that lurk within.
>>
>> To give you an idea of the issues, loading the following ruleset:
>>
>> anchor "foo" {
>> anchor "bar" {
>> pass in
>> }
>> }
>>
>> does exactly what you’d expect:
>>
>> # pfctl -sr -a "*"
>> anchor "foo" all {
>> anchor "bar" all {
>> pass in all flags S/SA keep state
>> }
>> }
>> # pfctl -sr -a "foo/*"
>> anchor "bar" all {
>> pass in all flags S/SA keep state
>> }
>>
>> However, if we `pfctl -Fr` to flush all rules:
>>
>> # pfctl -Fr
>> rules cleared
>> # pfctl -sr -a "*"
>> # pfctl -sr -a "foo/*"
>> anchor "bar" all {
>> pass in all flags S/SA keep state
>> }
>>
>
> How is one supposed to know which rules are really loaded in this
> case?
>
> Printing of rules with anchors being broken (I even get a segmentation
> fault with 'pfctl -a "*" -sr -vv') makes debugging rulesets very hard.
>
`pfctl -a "*" -sr` should always produce the expected results, at least
as far as I know.
I’d be very interested in seeing a test case where that core dumps,
because that is indeed very annoying, and might be something I can fix.
> Partially, the question I also have is: is printing of rules broken,
> or is flushing of rules broken, or a third thing? =)
>
To the extent that I currently understand this problem I believe the
issue is that we’re not always stepping into child anchors to print
them. I believe they do get evaluated when the rules are processed. So
it’s the printing that’s broken.
The flushing is .. not broken, but may not do what you’d expect. When
we flush we only flush the root anchor, and other anchors can remain. I
think that’s the main source of the strange behaviour I’ve
described.
Best regards,
Kristof
--=_MailMate_2B1CB56D-64E4-4500-ADF1-D33BA8E3C1E0_=
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE html>
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/xhtml; charset=3Dutf-8"=
>
</head>
<body><div style=3D"font-family: sans-serif;"><div class=3D"markdown" sty=
le=3D"white-space: normal;">
<p dir=3D"auto">On 17 Oct 2022, at 19:37, Matteo Riondato wrote:</p>
</div><div class=3D"plaintext" style=3D"white-space: normal;"><blockquote=
style=3D"margin: 0 0 5px; padding-left: 5px; border-left: 2px solid #136=
BCE; color: #136BCE;"><p dir=3D"auto">On 2022-10-07 at 06:13 EDT, Kristof=
Provost <kp@FreeBSD.org> wrote:</p>
<blockquote style=3D"margin: 0 0 5px; padding-left: 5px; border-left: 2px=
solid #136BCE; border-left-color: #4B89CF; color: #4B89CF;"><blockquote =
style=3D"margin: 0 0 5px; padding-left: 5px; border-left: 2px solid #136B=
CE; border-left-color: #4B89CF; color: #4B89CF;"><p dir=3D"auto">On 3 Oct=
2022, at 18:13, Bryan Drewery wrote:</p>
<blockquote style=3D"margin: 0 0 5px; padding-left: 5px; border-left: 2px=
solid #136BCE; border-left-color: #4B89CF; color: #4B89CF;"><p dir=3D"au=
to">I think there's still a problem here.</p>
<p dir=3D"auto">pfctl -a '*' -sr works pfctl -a 'name/*' -sr does not.</p=
>
</blockquote></blockquote><p dir=3D"auto">So I=E2=80=99ve looked at this =
a bit more, and I am now going to back away from the whole anchor thing, =
and try to pretend I didn=E2=80=99t see any of the tentacled horrors that=
lurk within.</p>
<p dir=3D"auto">To give you an idea of the issues, loading the following =
ruleset:</p>
<p dir=3D"auto"> anchor "foo" {
<br>
anchor "bar" {
<br>
pass in
<br>
}
<br>
}</p>
<p dir=3D"auto">does exactly what you=E2=80=99d expect:</p>
<p dir=3D"auto"> # pfctl -sr -a "*"
<br>
anchor "foo" all {
<br>
anchor "bar" all {
<br>
pass in all flags S/SA keep state
<br>
}
<br>
}
<br>
# pfctl -sr -a "foo/*"
<br>
anchor "bar" all {
<br>
pass in all flags S/SA keep state
<br>
}</p>
<p dir=3D"auto">However, if we `pfctl -Fr` to flush all rules:</p>
<p dir=3D"auto"> # pfctl -Fr
<br>
rules cleared
<br>
# pfctl -sr -a "*"
<br>
# pfctl -sr -a "foo/*"
<br>
anchor "bar" all {
<br>
pass in all flags S/SA keep state
<br>
}</p>
</blockquote><p dir=3D"auto">How is one supposed to know which rules are =
really loaded in this case?</p>
<p dir=3D"auto">Printing of rules with anchors being broken (I even get a=
segmentation fault with 'pfctl -a "*" -sr -vv') makes debugging rulesets=
very hard.</p>
<br></blockquote></div>
<div class=3D"markdown" style=3D"white-space: normal;">
<p dir=3D"auto"><code style=3D"padding: 0 0.25em; background-color: #E4E4=
E4;">pfctl -a "*" -sr</code> should always produce the expected=
results, at least as far as I know.<br>
I=E2=80=99d be very interested in seeing a test case where that core dump=
s, because that is indeed very annoying, and might be something I can fix=
=2E</p>
</div><div class=3D"plaintext" style=3D"white-space: normal;"><blockquote=
style=3D"margin: 0 0 5px; padding-left: 5px; border-left: 2px solid #136=
BCE; color: #136BCE;"><p dir=3D"auto">Partially, the question I also have=
is: is printing of rules broken, or is flushing of rules broken, or a th=
ird thing? =3D)</p>
<br></blockquote></div>
<div class=3D"markdown" style=3D"white-space: normal;">
<p dir=3D"auto">To the extent that I currently understand this problem I =
believe the issue is that we=E2=80=99re not always stepping into child an=
chors to print them. I believe they do get evaluated when the rules are p=
rocessed. So it=E2=80=99s the printing that=E2=80=99s broken.<br>
The flushing is .. not broken, but may not do what you=E2=80=99d expect. =
When we flush we only flush the root anchor, and other anchors can remain=
=2E I think that=E2=80=99s the main source of the strange behaviour I=E2=80=
=99ve described.</p>
<p dir=3D"auto">Best regards,<br>
Kristof</p>
</div>
</div>
</body>
</html>
--=_MailMate_2B1CB56D-64E4-4500-ADF1-D33BA8E3C1E0_=--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9B65580C-2959-4A01-8386-65E5AA596FC2>