Re: git: cfa1a1308709 - main - pfctl: fix recrusive printing of ethernet anchors

On 10/7/2022 3:13 AM, Kristof Provost wrote:
>     On 3 Oct 2022, at 18:13, Bryan Drewery wrote:
> 
>         I think there's still a problem here.
> 
>         pfctl -a '*' -sr works
>         pfctl -a 'name/*' -sr does not.
> 
> 
> So I’ve looked at this a bit more, and I am now going to back away from 
> the whole anchor thing, and try to pretend I didn’t see any of the 
> tentacled horrors that lurk within.
> 
> To give you an idea of the issues, loading the following ruleset:
> 
> |anchor "foo" { anchor "bar" { pass in } } |
> 
> does exactly what you’d expect:
> 
> |# pfctl -sr -a "*" anchor "foo" all { anchor "bar" all { pass in all 
> flags S/SA keep state } } # pfctl -sr -a "foo/*" anchor "bar" all { pass 
> in all flags S/SA keep state } |
> 
> However, if we |pfctl -Fr| to flush all rules:
> 
> |# pfctl -Fr rules cleared # pfctl -sr -a "*" # pfctl -sr -a "foo/*" 
> anchor "bar" all { pass in all flags S/SA keep state } |
> 
> Unloading pf to actually delete the bar anchor, and then we set:
> 
> |anchor “foo” |
> 
> And then
> 
> |# echo "pass" | pfctl -g -f - -a "foo/bar" # pfctl -sr -a "*" anchor 
> "foo" all { } # pfctl -sr -a "foo/*" # pfctl -sr -a "foo/bar" pass all 
> flags S/SA keep state |
> 
> There are a lot of issues there, and it’ll take a lot of time and effort 
> to root them out. My plan is to drink heavily and attempt to forget.

Hah. Well thank you for looking at it! I do think it's not something to 
stress about too much.

> 
> Kristof
> 

-- 
Bryan Drewery