Date: Fri, 28 Apr 2006 12:42:13 +0400 From: Boris Polevoy <vapcom@mail.ru> To: freebsd-pf@freebsd.org Cc: mlaier@freebsd.org, pf@benzedrine.cx Subject: PF with subanchors possible bug Message-ID: <E1FZOYH-0002ho-00.vapcom-mail-ru@f22.mail.ru>
next in thread | raw e-mail | index | archive | help
Hello, All!
Some possible bug in PF FreeBSD 6.0-RELEASE (same seems be in RELENG_6).
PF have strange behaviour with subanchors. Test configs:
pf.conf:
table <test> { 10.0.0.0/8 }
anchor "external" all
load anchor "external" from "pf.sub.conf"
pf.sub.conf:
anchor "internal"
load anchor "internal" from "pf.sub.sub.conf"
pf.sub.sub.conf:
pass in quick from <test> to any
Results:
# pfctl -q -f pf.conf
# pfctl -q -s rules
anchor "external" all
One anchor rule, as in pf.conf, but
# pfctl -q -s Anchors
external
internal
show two anchors in main ruleset.
# pfctl -q -s Anchors -v
external
external/internal
internal
Same as before with recurcive anchors layout. Anchors have correct rules:
# pfctl -q -s rules -a external
anchor "internal" all
# pfctl -q -s rules -a internal
pass in quick from <test> to any
This situation repeat in case PF direct control via ioctl(DIOCADDRULE).
During PF analis I have found in pf_table.c/pfr_attach_table():
struct pfr_ktable *kt, *rt;
struct pfr_table tbl;
struct pf_anchor *ac = rs->anchor;
...
if (ac != NULL)
strlcpy(tbl.pfrt_anchor, ac->name, sizeof(tbl.pfrt_anchor));
^^^^^^^^^
...
kt= pfr_lookup_table(&tbl);
if (kt == NULL) {
pfr_create_ktable(&tbl, time_second, 1);
...
In case ac->name == "internal", ac->path == "external/internal"
function pfr_create_ktable() lookup ruleset tbl.pfrt_anchor, don't find it,
and create new ruleset with name "internal". Seems this code must be:
if (ac != NULL)
strlcpy(tbl.pfrt_anchor, ac->path, sizeof(tbl.pfrt_anchor));
^^^^^^^^^
Is it bug or not?
With best regards
Boris Polevoy
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1FZOYH-0002ho-00.vapcom-mail-ru>