From nobody Mon Oct 03 22:17:49 2022
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MhFZm6XZPz4fJhj;
	Mon,  3 Oct 2022 22:17:52 +0000 (UTC)
	(envelope-from kp@FreeBSD.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4MhFZm5js2z3KX4;
	Mon,  3 Oct 2022 22:17:52 +0000 (UTC)
	(envelope-from kp@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1664835472;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=BRCibM4rb5iD93gzU5Dpfq6lkSZLCTwU8cYdJd87YU4=;
	b=su+JeivIaDtd/XDFBii7/iuOGHUPMFKV8m8IppLF6sZWCP08QeiINwE+SLs/vOdMJWNrex
	+rgWwglXMgaGpKhG2O1t/eBybgvQncOlNWMe5DeccuZfdnh0QHljxTPUSRXYtwHVxi5BwS
	e455SYp9UBoCs7JB8MkbYpM8kyJD/DA6q7vd1XMcMh2qKFowvba22THVtCnXBut48VuDd0
	fGDdWYYN1eEVhrVTanTUyf5DT4IWNKDPSicFWr8RBiMTvdjIAthHuanUTF0vlq0I4JvifC
	V6QdzzzWj94kXpnHMYH6HlPP1WfjPcc6cIiOqFFWVLcuqWa6BhoBNbd22+Eyjg==
Received: from venus.codepro.be (venus.codepro.be [5.9.86.228])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "mx1.codepro.be", Issuer "R3" (verified OK))
	(Authenticated sender: kp)
	by smtp.freebsd.org (Postfix) with ESMTPSA id 4MhFZm3Jp0z1K1c;
	Mon,  3 Oct 2022 22:17:52 +0000 (UTC)
	(envelope-from kp@FreeBSD.org)
Received: by venus.codepro.be (Postfix, authenticated sender kp)
 id B690C419AC;
	Tue,  4 Oct 2022 00:17:49 +0200 (CEST)
From: Kristof Provost <kp@FreeBSD.org>
To: Bryan Drewery <bdrewery@FreeBSD.org>
Cc: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
 dev-commits-src-main@FreeBSD.org, matteo@freebsd.org
Subject: Re: git: cfa1a1308709 - main - pfctl: fix recrusive printing of ethernet anchors
Date: Mon, 03 Oct 2022 23:17:49 +0100
X-Mailer: MailMate (1.14r5852)
Message-ID: <46F2B94F-DBCB-4E55-8055-051393C900C8@FreeBSD.org>
In-Reply-To: <3fd7be3f-90b1-ae87-1b4e-8b183acf1a9c@FreeBSD.org>
References: <202209061119.286BJnOV024965@gitrepo.freebsd.org>
 <3fd7be3f-90b1-ae87-1b4e-8b183acf1a9c@FreeBSD.org>
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-main@freebsd.org
X-BeenThere: dev-commits-src-main@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1664835472;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=BRCibM4rb5iD93gzU5Dpfq6lkSZLCTwU8cYdJd87YU4=;
	b=JWn/dYMn6HArof0bmcAGaMDRf8MdCYVZsoSuPAip1XK+tQrQqTtRTMl7fB1YbyJkMnrAja
	XLAoKeYteo+WpNJ5pj06eB0G+lmOMlA7OhSqdaCzo837KBV4QarRMl7YJ5TS65YIpkCl5n
	WXeCKNLx4CdlC9cHfj4K1n3yQJrYcOGmHhxo9LKq0Ys2ioF9/Taj2d2SxJ5Ud2PQWyZ6S1
	XAOSR4X4bgGHrU/huDhTYX0fXeJ9/e2hhpJclLJhVhLm4/nRop6d3gPMVBAckrZKh36NyJ
	tZfosm8rrwLkQOKzQ0fQ5xquY8BBUrnPtyw+RqhF9Y2TB4h3uhwDwMdhy1EWKg==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1664835472; a=rsa-sha256; cv=none;
	b=yrWTJHtFOvU8j0/CO68YaTqWnuUjfNV2QwsgSxnoIB2IORrs3cqCp+ET4Nieqve4cuuqe/
	ozTtFmooFY9U116/gbLcIWVeJ0sLoe5HPGkvDYU96XBlyzdYqu3tPUkXFCzNj/wN2185J0
	us//B0OpHl/IqzZNIGrOwqtawD9ilq+O9TSuSlf1L2AD37Ory805RFey5xBty3xwYRs9sz
	lKTkShgQjqAGJYLWkZRPh3rusSqMuU3Xb6GiXFtgJoH16FOaB6kLHhy+Dg5wawOHpJ6OzO
	bDJ3cIxZEpy7itSuv29om0LrwAZC2TSMZ5OUgVDTUIO7lrK1v9vM6dgN9QeRKQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

Thanks for the report. I=E2=80=99ll try to dig into that in the next coup=
le of days.

Best regards,
Kristof

On 3 Oct 2022, at 18:13, Bryan Drewery wrote:

> I think there's still a problem here.
>
> pfctl -a '*' -sr works
> pfctl -a 'name/*' -sr does not.
>
> On 9/6/2022 4:19 AM, Kristof Provost wrote:
>> The branch main has been updated by kp:
>>
>> URL: https://cgit.FreeBSD.org/src/commit/?id=3Dcfa1a13087096fe93d7a297=
6015ccda243476a64
>>
>> commit cfa1a13087096fe93d7a2976015ccda243476a64
>> Author:     Kristof Provost <kp@FreeBSD.org>
>> AuthorDate: 2022-09-01 09:45:19 +0000
>> Commit:     Kristof Provost <kp@FreeBSD.org>
>> CommitDate: 2022-09-06 11:19:10 +0000
>>
>>      pfctl: fix recrusive printing of ethernet anchors
>>          Similar to the preceding fix for layer three rules, ensure th=
at we
>>      recursively list wildcard anchors for ethernet rules.
>>          MFC after:      3 weeks
>>      Sponsored by:   Rubicon Communications, LLC ("Netgate")
>>      Differential Revision:  https://reviews.freebsd.org/D36417
>> ---
>>   sbin/pfctl/parse.y |  9 ++++++-
>>   sbin/pfctl/pfctl.c | 79 ++++++++++++++++++++++++++++++++++++++++++++=
+---------
>>   2 files changed, 75 insertions(+), 13 deletions(-)
>>
>> diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
>> index 5d0320e909fb..eea9f89782be 100644
>> --- a/sbin/pfctl/parse.y
>> +++ b/sbin/pfctl/parse.y
>> @@ -1276,7 +1276,14 @@ etheranchorrule	: ETHER ANCHOR anchorname dir q=
uick interface etherproto etherfr
>>    			memset(&r, 0, sizeof(r));
>>   			if (pf->eastack[pf->asd + 1]) {
>> -				/* move inline rules into relative location */
>> +				if ($3 && strchr($3, '/') !=3D NULL) {
>> +					free($3);
>> +					yyerror("anchor paths containing '/' "
>> +					   "cannot be used for inline anchors.");
>> +					YYERROR;
>> +				}
>> +
>> +				/* Move inline rules into relative location. */
>>   				pfctl_eth_anchor_setup(pf, &r,
>>   				    &pf->eastack[pf->asd]->ruleset,
>>   				    $3 ? $3 : pf->ealast->name);
>> diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
>> index 0445fdd32ea7..bc6f14e1c197 100644
>> --- a/sbin/pfctl/pfctl.c
>> +++ b/sbin/pfctl/pfctl.c
>> @@ -99,7 +99,7 @@ int	 pfctl_get_pool(int, struct pfctl_pool *, u_int3=
2_t, u_int32_t, int,
>>   	    char *);
>>   void	 pfctl_print_eth_rule_counters(struct pfctl_eth_rule *, int);
>>   void	 pfctl_print_rule_counters(struct pfctl_rule *, int);
>> -int	 pfctl_show_eth_rules(int, char *, int, enum pfctl_show, char *, =
int);
>> +int	 pfctl_show_eth_rules(int, char *, int, enum pfctl_show, char *, =
int, int);
>>   int	 pfctl_show_rules(int, char *, int, enum pfctl_show, char *, int=
, int);
>>   int	 pfctl_show_nat(int, char *, int, char *, int);
>>   int	 pfctl_show_src_nodes(int, int);
>> @@ -1091,20 +1091,73 @@ pfctl_print_title(char *title)
>>    int
>>   pfctl_show_eth_rules(int dev, char *path, int opts, enum pfctl_show =
format,
>> -    char *anchorname, int depth)
>> +    char *anchorname, int depth, int wildcard)
>>   {
>>   	char anchor_call[MAXPATHLEN];
>>   	struct pfctl_eth_rules_info info;
>>   	struct pfctl_eth_rule rule;
>> +	int brace;
>>   	int dotitle =3D opts & PF_OPT_SHOWALL;
>>   	int len =3D strlen(path);
>> -	int brace;
>> -	char *p;
>> +	char *npath, *p;
>>  -	if (path[0])
>> -		snprintf(&path[len], MAXPATHLEN - len, "/%s", anchorname);
>> -	else
>> -		snprintf(&path[len], MAXPATHLEN - len, "%s", anchorname);
>> +	/*
>> +	 * Truncate a trailing / and * on an anchorname before searching for=

>> +	 * the ruleset, this is syntactic sugar that doesn't actually make i=
t
>> +	 * to the kernel.
>> +	 */
>> +	if ((p =3D strrchr(anchorname, '/')) !=3D NULL &&
>> +			p[1] =3D=3D '*' && p[2] =3D=3D '\0') {
>> +		p[0] =3D '\0';
>> +	}
>> +
>> +	if (anchorname[0] =3D=3D '/') {
>> +		if ((npath =3D calloc(1, MAXPATHLEN)) =3D=3D NULL)
>> +			errx(1, "pfctl_rules: calloc");
>> +		snprintf(npath, MAXPATHLEN, "%s", anchorname);
>> +	} else {
>> +		if (path[0])
>> +			snprintf(&path[len], MAXPATHLEN - len, "/%s", anchorname);
>> +		else
>> +			snprintf(&path[len], MAXPATHLEN - len, "%s", anchorname);
>> +		npath =3D path;
>> +	}
>> +
>> +	/*
>> +	 * If this anchor was called with a wildcard path, go through
>> +	 * the rulesets in the anchor rather than the rules.
>> +	 */
>> +	if (wildcard && (opts & PF_OPT_RECURSE)) {
>> +		struct pfctl_eth_rulesets_info	ri;
>> +		u_int32_t                mnr, nr;
>> +
>> +		if (pfctl_get_eth_rulesets_info(dev, &ri, npath)) {
>> +			if (errno =3D=3D EINVAL) {
>> +				fprintf(stderr, "Anchor '%s' "
>> +						"not found.\n", anchorname);
>> +			} else {
>> +				warn("DIOCGETETHRULESETS");
>> +				return (-1);
>> +			}
>> +		}
>> +		mnr =3D ri.nr;
>> +
>> +		pfctl_print_eth_rule_counters(&rule, opts);
>> +		for (nr =3D 0; nr < mnr; ++nr) {
>> +			struct pfctl_eth_ruleset_info	rs;
>> +
>> +			if (pfctl_get_eth_ruleset(dev, npath, nr, &rs))
>> +				err(1, "DIOCGETETHRULESET");
>> +			INDENT(depth, !(opts & PF_OPT_VERBOSE));
>> +			printf("anchor \"%s\" all {\n", rs.name);
>> +			pfctl_show_eth_rules(dev, npath, opts,
>> +					format, rs.name, depth + 1, 0);
>> +			INDENT(depth, !(opts & PF_OPT_VERBOSE));
>> +			printf("}\n");
>> +		}
>> +		path[len] =3D '\0';
>> +		return (0);
>> +	}
>>    	if (pfctl_get_eth_rules_info(dev, &info, path)) {
>>   		warn("DIOCGETETHRULES");
>> @@ -1141,7 +1194,7 @@ pfctl_show_eth_rules(int dev, char *path, int op=
ts, enum pfctl_show format,
>>   		pfctl_print_eth_rule_counters(&rule, opts);
>>   		if (brace) {
>>   			pfctl_show_eth_rules(dev, path, opts, format,
>> -			    p, depth + 1);
>> +			    p, depth + 1, rule.anchor_wildcard);
>>   			INDENT(depth, !(opts & PF_OPT_VERBOSE));
>>   			printf("}\n");
>>   		}
>> @@ -2988,13 +3041,15 @@ main(int argc, char *argv[])
>>   			pfctl_show_limits(dev, opts);
>>   			break;
>>   		case 'e':
>> -			pfctl_show_eth_rules(dev, path, opts, 0, anchorname, 0);
>> +			pfctl_show_eth_rules(dev, path, opts, 0, anchorname, 0,
>> +			    0);
>>   			break;
>>   		case 'a':
>>   			opts |=3D PF_OPT_SHOWALL;
>>   			pfctl_load_fingerprints(dev, opts);
>>  -			pfctl_show_eth_rules(dev, path, opts, 0, anchorname, 0);
>> +			pfctl_show_eth_rules(dev, path, opts, 0, anchorname, 0,
>> +			    0);
>>    			pfctl_show_nat(dev, path, opts, anchorname, 0);
>>   			pfctl_show_rules(dev, path, opts, 0, anchorname, 0, 0);
>> @@ -3023,7 +3078,7 @@ main(int argc, char *argv[])
>>    	if ((opts & PF_OPT_CLRRULECTRS) && showopt =3D=3D NULL) {
>>   		pfctl_show_eth_rules(dev, path, opts, PFCTL_SHOW_NOTHING,
>> -		    anchorname, 0);
>> +		    anchorname, 0, 0);
>>   		pfctl_show_rules(dev, path, opts, PFCTL_SHOW_NOTHING,
>>   		    anchorname, 0, 0);
>>   	}
>
> -- =

> Bryan Drewery