Date: Tue, 18 Oct 2022 10:44:32 +0200 From: Kristof Provost <kp@FreeBSD.org> To: Matteo Riondato <matteo@freebsd.org> Cc: Bryan Drewery <bdrewery@freebsd.org>, src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org Subject: Re: git: cfa1a1308709 - main - pfctl: fix recrusive printing of ethernet anchors Message-ID: <9B65580C-2959-4A01-8386-65E5AA596FC2@FreeBSD.org> In-Reply-To: <20221017173704.d3mvikbc25to6snn@host-ubertino-mac-24f5a28a9493.wired.10net.amherst.edu> References: <202209061119.286BJnOV024965@gitrepo.freebsd.org> <3fd7be3f-90b1-ae87-1b4e-8b183acf1a9c@FreeBSD.org> <46F2B94F-DBCB-4E55-8055-051393C900C8@FreeBSD.org> <55FAE484-FD9E-4652-AD1D-45FBF3501CE8@FreeBSD.org> <20221017173704.d3mvikbc25to6snn@host-ubertino-mac-24f5a28a9493.wired.10net.amherst.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
On 17 Oct 2022, at 19:37, Matteo Riondato wrote:
> On 2022-10-07 at 06:13 EDT, Kristof Provost <kp@FreeBSD.org> wrote:
>>> On 3 Oct 2022, at 18:13, Bryan Drewery wrote:
>>>> I think there's still a problem here.
>>>>
>>>> pfctl -a '*' -sr works pfctl -a 'name/*' -sr does not.
>>>>
>> So I’ve looked at this a bit more, and I am now going to back away
>> from the whole anchor thing, and try to pretend I didn’t see any of
>> the tentacled horrors that lurk within.
>>
>> To give you an idea of the issues, loading the following ruleset:
>>
>> anchor "foo" {
>> anchor "bar" {
>> pass in
>> }
>> }
>>
>> does exactly what you’d expect:
>>
>> # pfctl -sr -a "*"
>> anchor "foo" all {
>> anchor "bar" all {
>> pass in all flags S/SA keep state
>> }
>> }
>> # pfctl -sr -a "foo/*"
>> anchor "bar" all {
>> pass in all flags S/SA keep state
>> }
>>
>> However, if we `pfctl -Fr` to flush all rules:
>>
>> # pfctl -Fr
>> rules cleared
>> # pfctl -sr -a "*"
>> # pfctl -sr -a "foo/*"
>> anchor "bar" all {
>> pass in all flags S/SA keep state
>> }
>>
>
> How is one supposed to know which rules are really loaded in this
> case?
>
> Printing of rules with anchors being broken (I even get a segmentation
> fault with 'pfctl -a "*" -sr -vv') makes debugging rulesets very hard.
>
`pfctl -a "*" -sr` should always produce the expected results, at least
as far as I know.
I’d be very interested in seeing a test case where that core dumps,
because that is indeed very annoying, and might be something I can fix.
> Partially, the question I also have is: is printing of rules broken,
> or is flushing of rules broken, or a third thing? =)
>
To the extent that I currently understand this problem I believe the
issue is that we’re not always stepping into child anchors to print
them. I believe they do get evaluated when the rules are processed. So
it’s the printing that’s broken.
The flushing is .. not broken, but may not do what you’d expect. When
we flush we only flush the root anchor, and other anchors can remain. I
think that’s the main source of the strange behaviour I’ve
described.
Best regards,
Kristof
[-- Attachment #2 --]
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/xhtml; charset=utf-8">
</head>
<body><div style="font-family: sans-serif;"><div class="markdown" style="white-space: normal;">
<p dir="auto">On 17 Oct 2022, at 19:37, Matteo Riondato wrote:</p>
</div><div class="plaintext" style="white-space: normal;"><blockquote style="margin: 0 0 5px; padding-left: 5px; border-left: 2px solid #136BCE; color: #136BCE;"><p dir="auto">On 2022-10-07 at 06:13 EDT, Kristof Provost <kp@FreeBSD.org> wrote:</p>
<blockquote style="margin: 0 0 5px; padding-left: 5px; border-left: 2px solid #136BCE; border-left-color: #4B89CF; color: #4B89CF;"><blockquote style="margin: 0 0 5px; padding-left: 5px; border-left: 2px solid #136BCE; border-left-color: #4B89CF; color: #4B89CF;"><p dir="auto">On 3 Oct 2022, at 18:13, Bryan Drewery wrote:</p>
<blockquote style="margin: 0 0 5px; padding-left: 5px; border-left: 2px solid #136BCE; border-left-color: #4B89CF; color: #4B89CF;"><p dir="auto">I think there's still a problem here.</p>
<p dir="auto">pfctl -a '*' -sr works pfctl -a 'name/*' -sr does not.</p>
</blockquote></blockquote><p dir="auto">So I’ve looked at this a bit more, and I am now going to back away from the whole anchor thing, and try to pretend I didn’t see any of the tentacled horrors that lurk within.</p>
<p dir="auto">To give you an idea of the issues, loading the following ruleset:</p>
<p dir="auto"> anchor "foo" {
<br>
anchor "bar" {
<br>
pass in
<br>
}
<br>
}</p>
<p dir="auto">does exactly what you’d expect:</p>
<p dir="auto"> # pfctl -sr -a "*"
<br>
anchor "foo" all {
<br>
anchor "bar" all {
<br>
pass in all flags S/SA keep state
<br>
}
<br>
}
<br>
# pfctl -sr -a "foo/*"
<br>
anchor "bar" all {
<br>
pass in all flags S/SA keep state
<br>
}</p>
<p dir="auto">However, if we `pfctl -Fr` to flush all rules:</p>
<p dir="auto"> # pfctl -Fr
<br>
rules cleared
<br>
# pfctl -sr -a "*"
<br>
# pfctl -sr -a "foo/*"
<br>
anchor "bar" all {
<br>
pass in all flags S/SA keep state
<br>
}</p>
</blockquote><p dir="auto">How is one supposed to know which rules are really loaded in this case?</p>
<p dir="auto">Printing of rules with anchors being broken (I even get a segmentation fault with 'pfctl -a "*" -sr -vv') makes debugging rulesets very hard.</p>
<br></blockquote></div>
<div class="markdown" style="white-space: normal;">
<p dir="auto"><code style="padding: 0 0.25em; background-color: #E4E4E4;">pfctl -a "*" -sr</code> should always produce the expected results, at least as far as I know.<br>
I’d be very interested in seeing a test case where that core dumps, because that is indeed very annoying, and might be something I can fix.</p>
</div><div class="plaintext" style="white-space: normal;"><blockquote style="margin: 0 0 5px; padding-left: 5px; border-left: 2px solid #136BCE; color: #136BCE;"><p dir="auto">Partially, the question I also have is: is printing of rules broken, or is flushing of rules broken, or a third thing? =)</p>
<br></blockquote></div>
<div class="markdown" style="white-space: normal;">
<p dir="auto">To the extent that I currently understand this problem I believe the issue is that we’re not always stepping into child anchors to print them. I believe they do get evaluated when the rules are processed. So it’s the printing that’s broken.<br>
The flushing is .. not broken, but may not do what you’d expect. When we flush we only flush the root anchor, and other anchors can remain. I think that’s the main source of the strange behaviour I’ve described.</p>
<p dir="auto">Best regards,<br>
Kristof</p>
</div>
</div>
</body>
</html>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9B65580C-2959-4A01-8386-65E5AA596FC2>