From nobody Mon Oct 17 17:37:04 2022 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MrkhK5Wm2z4b2Px; Mon, 17 Oct 2022 17:37:05 +0000 (UTC) (envelope-from matteo@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MrkhK53CHz3fvR; Mon, 17 Oct 2022 17:37:05 +0000 (UTC) (envelope-from matteo@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1666028225; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=Az0vwikHFBJ7r0c6VoXcnfaK/5ExxxboAtDw2qzkzEw=; b=JPl7lPxNu5IsHgGXJLl7NY5tcmGXa0Yzo6omqSlUmI8WE9CLJdtZIJwwCA/P3c49CmCEsY 4PSh5BzxSbQd3A8w/1eb5Tk/jGW1Z94bt3r4anwEwgyeLWCekxRKlhI6UG8Mjj9siYzmAN aCIEYmdS7l/ih0ti+9MODSS0Y18e+8epd+ocdj27ATKTSjO371kxR5FN3BNSGSDZZh/u2K 7QVGjfEF0K/Nm5Sp7o3a2HdxVLp5Raj4vvU6Wr5hit90TNpyWDVufbV4ql3FeSeFKiJ0kF jdce878Zh7HkJ1u4UUzT1xBGNJv8zT8/NCbTUvcIPVnhZzwWVI+oK+uArWsQGg== Received: from host-ubertino-mac-24f5a28a9493.wired.10net.amherst.edu (pafw-natd-255-146.amherst.edu [148.85.255.146]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: matteo/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4MrkhK3N79z1VCf; Mon, 17 Oct 2022 17:37:05 +0000 (UTC) (envelope-from matteo@freebsd.org) Date: Mon, 17 Oct 2022 13:37:04 -0400 From: Matteo Riondato To: Kristof Provost Cc: Bryan Drewery , src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org Subject: Re: git: cfa1a1308709 - main - pfctl: fix recrusive printing of ethernet anchors Message-ID: <20221017173704.d3mvikbc25to6snn@host-ubertino-mac-24f5a28a9493.wired.10net.amherst.edu> X-PGP-Key: http://rionda.to/files/matteogpg.asc References: <202209061119.286BJnOV024965@gitrepo.freebsd.org> <3fd7be3f-90b1-ae87-1b4e-8b183acf1a9c@FreeBSD.org> <46F2B94F-DBCB-4E55-8055-051393C900C8@FreeBSD.org> <55FAE484-FD9E-4652-AD1D-45FBF3501CE8@FreeBSD.org> List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="3z5x3gvgu5gdwbuf" Content-Disposition: inline In-Reply-To: <55FAE484-FD9E-4652-AD1D-45FBF3501CE8@FreeBSD.org> ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1666028225; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=Az0vwikHFBJ7r0c6VoXcnfaK/5ExxxboAtDw2qzkzEw=; b=M/JFO7P3wEYkJGqIUQLCNbIZL/G7LvSajHI5N+Ihhpi3S0jbcqvC6ePe2pipN8e4VhDzSB OXYojPDIO0aCCrZUMLDX1FMRht3Qzd+bN6BctTGlCJs1qAWoD0Pv7nkh380LMsKOlsZieF JPgfyS1ukIXn4SelGi4nOWFcG89sa5cC9do8YHELGeQ363GFXFwDYNqbgB9tobuy9GyUeH C0czV2/8Wvc8eDD5PtTYDXsz44PTXLkHq5Q7FuTV/uc7zvF78QnyUyots6nlxW4slKkh5X bSS+qGjx0urcxcut2vaak7cOW8BKwu/A/NCRGGQ+4duBaP/zXHykYFIQeIhD1Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1666028225; a=rsa-sha256; cv=none; b=Y1CgvPF8fLSR+AnVw0xfMum588qEK4lhmIt/2TSagv2cdp/oHJvFWHIlv0pQGOX+u+t8wQ Dlke+KYMjIIb9Za5sCEObep2XXpELreQnokvSpx5ja9BGSCjB+JbfAzRvh22aaCs4FiHjm HTCDk8Q22yfKwYqieCtpSNZtD77l9K96O+GKbk6RpguqrjtrhbTLnP1fWv4TNdy0BMnone 5HNH+YT2XS/lARz3wD7gzxws/nxZ5eKg8LIk9vjy6hmqqTwD76Q4wvcWxfYyrNqLEvxVCM S53o3rCklJkXzRgq6G49/42JmEBBepTnvK++YQ2By8xyBBu2gUXvGhyElZ2VMQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N --3z5x3gvgu5gdwbuf Content-Type: text/plain; charset=utf-8; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2022-10-07 at 06:13 EDT, Kristof Provost wrote: >>On 3 Oct 2022, at 18:13, Bryan Drewery wrote:=20 >>>I think there's still a problem here. >>> >>>pfctl -a '*' -sr works=20 >>>pfctl -a 'name/*' -sr does not. >>> >So I=E2=80=99ve looked at this a bit more, and I am now going to back away= =20 >from the whole anchor thing, and try to pretend I didn=E2=80=99t see any o= f=20 >the tentacled horrors that lurk within. > >To give you an idea of the issues, loading the following ruleset: > > anchor "foo" { > anchor "bar" { > pass in > } > } > >does exactly what you=E2=80=99d expect: > > # pfctl -sr -a "*" > anchor "foo" all { > anchor "bar" all { > pass in all flags S/SA keep state > } > } > # pfctl -sr -a "foo/*" > anchor "bar" all { > pass in all flags S/SA keep state > } > >However, if we `pfctl -Fr` to flush all rules: > > # pfctl -Fr > rules cleared > # pfctl -sr -a "*" > # pfctl -sr -a "foo/*" > anchor "bar" all { > pass in all flags S/SA keep state > } > How is one supposed to know which rules are really loaded in this case? Printing of rules with anchors being broken (I even get a segmentation=20 fault with 'pfctl -a "*" -sr -vv') makes debugging rulesets very hard. Partially, the question I also have is: is printing of rules broken, or=20 is flushing of rules broken, or a third thing? =3D) >Unloading pf to actually delete the bar anchor, and then we set: > > anchor =E2=80=9Cfoo=E2=80=9D > >And then > > # echo "pass" | pfctl -g -f - -a "foo/bar" > # pfctl -sr -a "*" > anchor "foo" all { > } > # pfctl -sr -a "foo/*" > # pfctl -sr -a "foo/bar" > pass all flags S/SA keep state > >There are a lot of issues there, and it=E2=80=99ll take a lot of time and= =20 >effort to root them out. My plan is to drink heavily and attempt to=20 >forget. > >Kristof=20 Thanks, Matteo --3z5x3gvgu5gdwbuf Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJHBAABCgAxFiEEa9uKZL0hP4E8Nl5vGwL9SVQlVQEFAmNNkrgTGGhrcHM6Ly9w Z3AubWl0LmVkdQAKCRAbAv1JVCVVAdUnD/wIQ+g9C8ye975qheOrFT8udbg+gliJ V+LmylW7XANIb6syXniEYkB1OcvWeKKfdHziKGwFWB5or4z+Ei6YHf7hBdQRUClD gcdXZ2Wi55vblaV1sz8Dt9FLiIVe3g14tyD2JqOBAEDDxZTKW6cIqjMr1YUlESJN JeTF+7QVZy/w/Qp0KNVGUd1doFZk/izLu/OGIFR4E5ToEBkjoyBB3Gox+OVm/IUC XTVPecwVOrVlnCRPNt8bTM6556O6o/Unil+b/yywhvB8TczOr7nZJ4hZVxdCJ/MV 1U3r9uHJiNT0Aq5VwgBSuruUiIQcypB65Y2sNIvo4JoNQz/v9OqzU/duv5aqqCHa 3c8gAbdwq8kVz5uG/AnAPgv0mBAKUMz4GcL80C4XLiVJBgIdeGTEgTdJQQDNDtkK McScFDhQ7hPOe5NRfaW+AIWX/pAESM/FGdslHK4jeLojV81GiL52wkysU4O0N33Q FNOVkEc8rzWZO8EIAT6rim6vFHAmUmtpWdm1GCzn3GHSi5MPv3A6rwUgdFiOZQVA uEo+jXafAdNwssYqvalzbuDThTl7NP24gU9D6ismA6K+etMRVJK6wdEvgfgdI2J/ Vr92OnBDWG5DlAhyzI1ScM5gmvHwXNl0O/e6FFKvJ6fIIWPYsDUd+B5DOu0/0EQk zRfZ3ukEqVTIXA== =P+75 -----END PGP SIGNATURE----- --3z5x3gvgu5gdwbuf--