From owner-freebsd-bugs@freebsd.org Tue Jan 12 20:31:54 2021 Return-Path: Delivered-To: freebsd-bugs@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6110A4E4F55 for ; Tue, 12 Jan 2021 20:31:54 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 4DFj0p26gtz4ccV for ; Tue, 12 Jan 2021 20:31:54 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.nyi.freebsd.org (Postfix) id 46EAA4E50B2; Tue, 12 Jan 2021 20:31:54 +0000 (UTC) Delivered-To: bugs@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 46AE14E5189 for ; Tue, 12 Jan 2021 20:31:54 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DFj0p0yYpz4cW8 for ; Tue, 12 Jan 2021 20:31:54 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 1457B2EA9 for ; Tue, 12 Jan 2021 20:31:54 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 10CKVsPM061915 for ; Tue, 12 Jan 2021 20:31:54 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 10CKVsIL061914 for bugs@FreeBSD.org; Tue, 12 Jan 2021 20:31:54 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 252617] pfctl -a '*' -sn does not recursively print nat-anchors Date: Tue, 12 Jan 2021 20:31:54 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 12.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: guido@kollerie.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jan 2021 20:31:54 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D252617 Bug ID: 252617 Summary: pfctl -a '*' -sn does not recursively print nat-anchors Product: Base System Version: 12.2-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: guido@kollerie.com According to "man pfctl" one should use "-a '*'" to recursively print the main ruleset. That does work for filter anchors (eg 'anchor') but not for NAT anchors (eg 'nat-anchor'). Given the loaded ruleset: ext_if=3D"lagg0" set skip on lo0 scrub in nat-anchor vm=20 block in pass out pass in on $ext_if proto tcp from any to ($ext_if) port { ssh, domain, http, https } pass in on $ext_if proto udp to ($ext_if) port domain pass in on $ext_if inet proto icmp to ($ext_if) icmp-type { unreach, re= dir, timex, echoreq } anchor vm=20 Running: pfctl -a vm -f - < (lagg0) pass in on vm-public EOT should load the new NAT and filter rules into the appropriate anchor positions. When we run: pfctl -a '*' -sr The filter ruleset is properly recursively printed: scrub in all fragment reassemble block drop in all pass in on lagg0 proto tcp from any to (lagg0) port =3D ssh flags S/SA = keep state pass in on lagg0 proto tcp from any to (lagg0) port =3D domain flags S/= SA keep state pass in on lagg0 proto tcp from any to (lagg0) port =3D http flags S/SA= keep state pass in on lagg0 proto tcp from any to (lagg0) port =3D https flags S/S= A keep state pass in on lagg0 proto udp from any to (lagg0) port =3D domain keep sta= te pass in on lagg0 inet proto icmp from any to (lagg0) icmp-type unreach = keep state pass in on lagg0 inet proto icmp from any to (lagg0) icmp-type redir ke= ep state pass in on lagg0 inet proto icmp from any to (lagg0) icmp-type timex ke= ep state pass in on lagg0 inet proto icmp from any to (lagg0) icmp-type echoreq = keep state pass out all flags S/SA keep state anchor "vm" all { pass in on vm-public all flags S/SA keep state } But the NAT ruleset however is not: pfctl -a '*' -sn prints: nat-anchor "vm" all Only when we explicitly name the anchor, will the NAT ruleset be printed: pfctl -a vm -sn prints: nat on lagg0 inet from 10.0.128.0/24 to any -> (lagg0) round-robin I would have expected both "-a '*'" and "-a vm" to produce the same output. --=20 You are receiving this mail because: You are the assignee for the bug.=