Re: git: cfa1a1308709 - main - pfctl: fix recrusive printing of ethernet anchors

Reply: Matteo Riondato : "Re: git: cfa1a1308709 - main - pfctl: fix recrusive printing of ethernet anchors"
In reply to: Matteo Riondato : "Re: git: cfa1a1308709 - main - pfctl: fix recrusive printing of ethernet anchors"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Tue, 18 Oct 2022 08:44:32 UTC

On 17 Oct 2022, at 19:37, Matteo Riondato wrote:
> On 2022-10-07 at 06:13 EDT, Kristof Provost <kp@FreeBSD.org> wrote:
>>> On 3 Oct 2022, at 18:13, Bryan Drewery wrote:
>>>> I think there's still a problem here.
>>>>
>>>> pfctl -a '*' -sr works pfctl -a 'name/*' -sr does not.
>>>>
>> So I’ve looked at this a bit more, and I am now going to back away 
>> from the whole anchor thing, and try to pretend I didn’t see any of 
>> the tentacled horrors that lurk within.
>>
>> To give you an idea of the issues, loading the following ruleset:
>>
>> 	anchor "foo" {
>> 	        anchor "bar" {
>> 	                pass in
>> 	        }
>> 	}
>>
>> does exactly what you’d expect:
>>
>> 	# pfctl -sr -a "*"
>> 	anchor "foo" all {
>> 	  anchor "bar" all {
>> 	    pass in all flags S/SA keep state
>> 	  }
>> 	}
>> 	# pfctl -sr -a "foo/*"
>> 	anchor "bar" all {
>> 	  pass in all flags S/SA keep state
>> 	}
>>
>> However, if we `pfctl -Fr` to flush all rules:
>>
>> 	# pfctl -Fr
>> 	rules cleared
>> 	# pfctl -sr -a "*"
>> 	# pfctl -sr -a "foo/*"
>> 	anchor "bar" all {
>> 	  pass in all flags S/SA keep state
>> 	}
>>
>
> How is one supposed to know which rules are really loaded in this 
> case?
>
> Printing of rules with anchors being broken (I even get a segmentation 
> fault with 'pfctl -a "*" -sr -vv') makes debugging rulesets very hard.
>
`pfctl -a "*" -sr` should always produce the expected results, at least 
as far as I know.
I’d be very interested in seeing a test case where that core dumps, 
because that is indeed very annoying, and might be something I can fix.

> Partially, the question I also have is: is printing of rules broken, 
> or is flushing of rules broken, or a third thing? =)
>
To the extent that I currently understand this problem I believe the 
issue is that we’re not always stepping into child anchors to print 
them. I believe they do get evaluated when the rules are processed. So 
it’s the printing that’s broken.
The flushing is .. not broken, but may not do what you’d expect. When 
we flush we only flush the root anchor, and other anchors can remain. I 
think that’s the main source of the strange behaviour I’ve 
described.

Best regards,
Kristof