Date: Sun, 13 Jul 2025 22:36:56 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 288197] [PATCH] fix pf_fallback_rules for multiple rules Message-ID: <bug-288197-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=288197 Bug ID: 288197 Summary: [PATCH] fix pf_fallback_rules for multiple rules Product: Base System Version: 14.3-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: misc Assignee: bugs@FreeBSD.org Reporter: mike@jellydonut.org Created attachment 262121 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=262121&action=edit quoted $pf_fallback_rules fix Found what appears to be a bug with pf_fallback_rules in /etc/rc.d/pf. Attempting to use more than a single pf rule with this setting in /etc/rc.conf fails on each pf start/restart attempt with a stdin syntax error on line 1 (ignore the "pf/etc/pf.conf:10 syntax error" -- that's me intentionally breaking syntax in /etc/pf.conf to initiate the pf_fallback_rules to load): ## /etc/rc.conf pf_fallback_rules_enable="YES" pf_fallback_rules=" block drop all pass quick all" ## dmesg -a ... Enabling pf/etc/pf.conf:10: syntax error pfctl: Syntax error in config file: pf rules not loaded /etc/rc: WARNING: Unable to load /etc/pf.conf. /etc/rc: WARNING: Loading fallback rules: block drop all pass quick all stdin:1: syntax error pfctl: Syntax error in config file: pf rules not loaded . ... The rules are indeed valid, though passed incorrectly to pfctl via stdin as near as I can tell in /etc/rc.d/pf, which has: ... else warn "Loading fallback rules: $pf_fallback_rules" echo $pf_fallback_rules | $pf_program -f - $pf_flags fi ... Since the echo of $pf_fallback_rules is unquoted the line breaks are not maintained which breaks pfctl ruleset syntax. Testing this subset of /etc/rc.d/pf in /bin/sh did indicate the unqouted $pf_fallback_rules will fail even if rules are valid when more than one rule is involved. $ pf_fallback_rules=" block all pass in all" $ (set -x ; echo $pf_fallback_rules | pfctl -nvf - ) + echo block all pass in all + pfctl -nvf - stdin:1: syntax error $ (set -x ; echo "$pf_fallback_rules" | pfctl -nvf - ) + echo ' block all pass in all' + pfctl -nvf - block drop all pass in all flags S/SA keep state Quoting the 'echo "$pf_fallback_rules"' in /etc/rc.d/pf does indeed fix the issue in my environment. Alternatively setting IFS to null and echoing $pf_fallback_rules unqouted also provides valid ruleset syntax for pfctl: $ (set -x ; IFS= ; echo $pf_fallback_rules | pfctl -nvf - ) + IFS='' + echo ' block all pass in all' + pfctl -nvf - block drop all pass in all flags S/SA keep state I have 2 simple patches, one with quoted $pf_fallback_rules and an alternative fix with the IFS setting change via subshell. In both cases I've also updated rc.conf(5) to indicate that newlines should not be backslash-escaped when they're quoted in /etc/rc.conf. I personally think the quoted fix1 is simpler but I'm not sure exactly which is proper within the rc environment. -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-288197-227>