Site Navigation

Date:      Fri, 07 Oct 2022 11:13:48 +0100
From:      Kristof Provost <kp@FreeBSD.org>
To:        Bryan Drewery <bdrewery@FreeBSD.org>
Cc:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org, matteo@freebsd.org
Subject:   Re: git: cfa1a1308709 - main - pfctl: fix recrusive printing of ethernet anchors
Message-ID:  <55FAE484-FD9E-4652-AD1D-45FBF3501CE8@FreeBSD.org>
In-Reply-To: <46F2B94F-DBCB-4E55-8055-051393C900C8@FreeBSD.org>
References:  <202209061119.286BJnOV024965@gitrepo.freebsd.org> <3fd7be3f-90b1-ae87-1b4e-8b183acf1a9c@FreeBSD.org> <46F2B94F-DBCB-4E55-8055-051393C900C8@FreeBSD.org>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

[-- Attachment #1 --]
> On 3 Oct 2022, at 18:13, Bryan Drewery wrote:
>> I think there's still a problem here.
>>
>> pfctl -a '*' -sr works
>> pfctl -a 'name/*' -sr does not.
>>
So I’ve looked at this a bit more, and I am now going to back away 
from the whole anchor thing, and try to pretend I didn’t see any of 
the tentacled horrors that lurk within.

To give you an idea of the issues, loading the following ruleset:

	anchor "foo" {
	        anchor "bar" {
	                pass in
	        }
	}

does exactly what you’d expect:

	# pfctl -sr -a "*"
	anchor "foo" all {
	  anchor "bar" all {
	    pass in all flags S/SA keep state
	  }
	}
	# pfctl -sr -a "foo/*"
	anchor "bar" all {
	  pass in all flags S/SA keep state
	}

However, if we `pfctl -Fr` to flush all rules:

	# pfctl -Fr
	rules cleared
	# pfctl -sr -a "*"
	# pfctl -sr -a "foo/*"
	anchor "bar" all {
	  pass in all flags S/SA keep state
	}

Unloading pf to actually delete the bar anchor, and then we set:

	anchor “foo”

And then

	# echo "pass" | pfctl -g -f - -a "foo/bar"
	# pfctl -sr -a "*"
	anchor "foo" all {
	}
	# pfctl -sr -a "foo/*"
	# pfctl -sr -a "foo/bar"
	pass all flags S/SA keep state

There are a lot of issues there, and it’ll take a lot of time and 
effort to root them out. My plan is to drink heavily and attempt to 
forget.

Kristof
[-- Attachment #2 --]
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/xhtml; charset=utf-8">
</head>
<body><div style="font-family: sans-serif;"><div class="markdown" style="white-space: normal;">
</div><div class="plaintext" style="white-space: normal;"><blockquote style="margin: 0 0 5px; padding-left: 5px; border-left: 2px solid #136BCE; color: #136BCE;"><p dir="auto">On 3 Oct 2022, at 18:13, Bryan Drewery wrote:</p>
<blockquote style="margin: 0 0 5px; padding-left: 5px; border-left: 2px solid #136BCE; border-left-color: #4B89CF; color: #4B89CF;"><p dir="auto">I think there's still a problem here.</p>
<p dir="auto">pfctl -a '*' -sr works
<br>
pfctl -a 'name/*' -sr does not.</p>
<br></blockquote></blockquote></div>
<div class="markdown" style="white-space: normal;">
<p dir="auto">So I’ve looked at this a bit more, and I am now going to back away from the whole anchor thing, and try to pretend I didn’t see any of the tentacled horrors that lurk within.</p>
<p dir="auto">To give you an idea of the issues, loading the following ruleset:</p>
<pre style="margin-left: 15px; margin-right: 15px; padding: 5px; border: thin solid gray; overflow-x: auto; max-width: 90vw; background-color: #E4E4E4;"><code>anchor &quot;foo&quot; {
        anchor &quot;bar&quot; {
                pass in
        }
}
</code></pre>
<p dir="auto">does exactly what you’d expect:</p>
<pre style="margin-left: 15px; margin-right: 15px; padding: 5px; border: thin solid gray; overflow-x: auto; max-width: 90vw; background-color: #E4E4E4;"><code># pfctl -sr -a &quot;*&quot;
anchor &quot;foo&quot; all {
  anchor &quot;bar&quot; all {
    pass in all flags S/SA keep state
  }
}
# pfctl -sr -a &quot;foo/*&quot;
anchor &quot;bar&quot; all {
  pass in all flags S/SA keep state
}
</code></pre>
<p dir="auto">However, if we <code>pfctl -Fr</code> to flush all rules:</p>
<pre style="margin-left: 15px; margin-right: 15px; padding: 5px; border: thin solid gray; overflow-x: auto; max-width: 90vw; background-color: #E4E4E4;"><code># pfctl -Fr
rules cleared
# pfctl -sr -a &quot;*&quot;
# pfctl -sr -a &quot;foo/*&quot;
anchor &quot;bar&quot; all {
  pass in all flags S/SA keep state
}
</code></pre>
<p dir="auto">Unloading pf to actually delete the bar anchor, and then we set:</p>
<pre style="margin-left: 15px; margin-right: 15px; padding: 5px; border: thin solid gray; overflow-x: auto; max-width: 90vw; background-color: #E4E4E4;"><code>anchor “foo”
</code></pre>
<p dir="auto">And then</p>
<pre style="margin-left: 15px; margin-right: 15px; padding: 5px; border: thin solid gray; overflow-x: auto; max-width: 90vw; background-color: #E4E4E4;"><code># echo &quot;pass&quot; | pfctl -g -f - -a &quot;foo/bar&quot;
# pfctl -sr -a &quot;*&quot;
anchor &quot;foo&quot; all {
}
# pfctl -sr -a &quot;foo/*&quot;
# pfctl -sr -a &quot;foo/bar&quot;
pass all flags S/SA keep state
</code></pre>
<p dir="auto">There are a lot of issues there, and it’ll take a lot of time and effort to root them out. My plan is to drink heavily and attempt to forget.</p>
<p dir="auto">Kristof</p>

</div></div></body>

</html>

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55FAE484-FD9E-4652-AD1D-45FBF3501CE8>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact