From nobody Tue Sep 06 11:19:49 2022
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MMNFx2b4cz4bZFs;
	Tue,  6 Sep 2022 11:19:49 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4MMNFx21spz3mMs;
	Tue,  6 Sep 2022 11:19:49 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1662463189;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=xTW9Om8qXGzgjeuyNo3UETqTEheyH4oVLfmnznJ7GH0=;
	b=X03muKTAZBRGSYtQ4+UDiUMln8fe+E1DAYBH4kZF5GcVzRM02tkLIWEHnHq6BVNyiG1HUH
	ujuQwDMYKUv0+aHqQjB66LVUBB2jU3hWypEVdfq7H6plGiOj/oXbQsolvVsYnMZNS+Q3fV
	t9hrF6gtNGSjMw9IwV4v+vqJKnKBIhD+4GAAoGNdWjisoUoB9ahVEKaZ2YZIxZ0wSqYtE7
	bHBuL6LIAo5g0LK1npEANdDvexXXlJK8+aahOV2OgzmY8JJTm1Jto7YlYYsm4jZMAsmOdc
	gBLSN+cAgj1sdY9W1DZ+feA86BBHtwo5Lr7Jh2K21pbnuazNdzBBwA4kJKPtgg==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4MMNFx15BKz187M;
	Tue,  6 Sep 2022 11:19:49 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 286BJnwp024966;
	Tue, 6 Sep 2022 11:19:49 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 286BJnOV024965;
	Tue, 6 Sep 2022 11:19:49 GMT
	(envelope-from git)
Date: Tue, 6 Sep 2022 11:19:49 GMT
Message-Id: <202209061119.286BJnOV024965@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: cfa1a1308709 - main - pfctl: fix recrusive printing of ethernet anchors
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-main@freebsd.org
X-BeenThere: dev-commits-src-main@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: cfa1a13087096fe93d7a2976015ccda243476a64
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1662463189;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=xTW9Om8qXGzgjeuyNo3UETqTEheyH4oVLfmnznJ7GH0=;
	b=HFBWJnpUjBm+Zb3oXzFzULq4EVoM+XdQSLB4u3NQbz6WxRJTTwDMYx4vPW3yMfdHUGEBNo
	4aduQBT+7W7WkzjpkG0ExFnCiiFUZVX8IHlNbaV8BbQGXRR7cHCpd98QP73w29SId7lTv8
	O+JGgD4ZPKoRbAWTBng6z3ZEMoS6q6GFkumQ24CDNXmlypUvEVY590o9S3dWfPX6FANOIK
	nwcUjQCWsaRnpwGpZF/92WtUfGelwAcbXPzzJXOEoP/MuMTDGbZ+Zy65wDK8Db3bp9DG7X
	bXY61XX80HvVuij+Hz3/qW6XNn5RKXhYcQ8a5WWnH2YovhBUaa5i1FCy/jZuJg==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1662463189; a=rsa-sha256; cv=none;
	b=csMOTB1GufyYPY3YC7xWdQJLkE5fnDd3XA8O9jOBl4hAdMQxWAu13UL32VxJHVT8ra/b3l
	Fws7M5COSRHWA/vevPMxg0uM10ceyjHvPNMtbjuZ/C+AV2mLp1SYkyh4bv0Nmygztko7mY
	roZimIlYslzrsUkSODUtNpRknrqDMZGQU0bBkS+jmPPl1QcRvBWScDO/ppZ54OJ0wuaC9x
	8SfeZZqVoDVy645FfVe/UK4ezntomPKx8sVar6SwfkiKCBb1n7bBdtJMJPgbDgTP5JbGnO
	7EdcDeq6bJa5OlEo4Jon3j3DgYUUVfjJakQxsNCLQSktZP3QXXKMLdmLx3r1oQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=cfa1a13087096fe93d7a2976015ccda243476a64

commit cfa1a13087096fe93d7a2976015ccda243476a64
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2022-09-01 09:45:19 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2022-09-06 11:19:10 +0000

    pfctl: fix recrusive printing of ethernet anchors
    
    Similar to the preceding fix for layer three rules, ensure that we
    recursively list wildcard anchors for ethernet rules.
    
    MFC after:      3 weeks
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D36417
---
 sbin/pfctl/parse.y |  9 ++++++-
 sbin/pfctl/pfctl.c | 79 +++++++++++++++++++++++++++++++++++++++++++++---------
 2 files changed, 75 insertions(+), 13 deletions(-)

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 5d0320e909fb..eea9f89782be 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1276,7 +1276,14 @@ etheranchorrule	: ETHER ANCHOR anchorname dir quick interface etherproto etherfr
 
 			memset(&r, 0, sizeof(r));
 			if (pf->eastack[pf->asd + 1]) {
-				/* move inline rules into relative location */
+				if ($3 && strchr($3, '/') != NULL) {
+					free($3);
+					yyerror("anchor paths containing '/' "
+					   "cannot be used for inline anchors.");
+					YYERROR;
+				}
+
+				/* Move inline rules into relative location. */
 				pfctl_eth_anchor_setup(pf, &r,
 				    &pf->eastack[pf->asd]->ruleset,
 				    $3 ? $3 : pf->ealast->name);
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index 0445fdd32ea7..bc6f14e1c197 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -99,7 +99,7 @@ int	 pfctl_get_pool(int, struct pfctl_pool *, u_int32_t, u_int32_t, int,
 	    char *);
 void	 pfctl_print_eth_rule_counters(struct pfctl_eth_rule *, int);
 void	 pfctl_print_rule_counters(struct pfctl_rule *, int);
-int	 pfctl_show_eth_rules(int, char *, int, enum pfctl_show, char *, int);
+int	 pfctl_show_eth_rules(int, char *, int, enum pfctl_show, char *, int, int);
 int	 pfctl_show_rules(int, char *, int, enum pfctl_show, char *, int, int);
 int	 pfctl_show_nat(int, char *, int, char *, int);
 int	 pfctl_show_src_nodes(int, int);
@@ -1091,20 +1091,73 @@ pfctl_print_title(char *title)
 
 int
 pfctl_show_eth_rules(int dev, char *path, int opts, enum pfctl_show format,
-    char *anchorname, int depth)
+    char *anchorname, int depth, int wildcard)
 {
 	char anchor_call[MAXPATHLEN];
 	struct pfctl_eth_rules_info info;
 	struct pfctl_eth_rule rule;
+	int brace;
 	int dotitle = opts & PF_OPT_SHOWALL;
 	int len = strlen(path);
-	int brace;
-	char *p;
+	char *npath, *p;
 
-	if (path[0])
-		snprintf(&path[len], MAXPATHLEN - len, "/%s", anchorname);
-	else
-		snprintf(&path[len], MAXPATHLEN - len, "%s", anchorname);
+	/*
+	 * Truncate a trailing / and * on an anchorname before searching for
+	 * the ruleset, this is syntactic sugar that doesn't actually make it
+	 * to the kernel.
+	 */
+	if ((p = strrchr(anchorname, '/')) != NULL &&
+			p[1] == '*' && p[2] == '\0') {
+		p[0] = '\0';
+	}
+
+	if (anchorname[0] == '/') {
+		if ((npath = calloc(1, MAXPATHLEN)) == NULL)
+			errx(1, "pfctl_rules: calloc");
+		snprintf(npath, MAXPATHLEN, "%s", anchorname);
+	} else {
+		if (path[0])
+			snprintf(&path[len], MAXPATHLEN - len, "/%s", anchorname);
+		else
+			snprintf(&path[len], MAXPATHLEN - len, "%s", anchorname);
+		npath = path;
+	}
+
+	/*
+	 * If this anchor was called with a wildcard path, go through
+	 * the rulesets in the anchor rather than the rules.
+	 */
+	if (wildcard && (opts & PF_OPT_RECURSE)) {
+		struct pfctl_eth_rulesets_info	ri;
+		u_int32_t                mnr, nr;
+
+		if (pfctl_get_eth_rulesets_info(dev, &ri, npath)) {
+			if (errno == EINVAL) {
+				fprintf(stderr, "Anchor '%s' "
+						"not found.\n", anchorname);
+			} else {
+				warn("DIOCGETETHRULESETS");
+				return (-1);
+			}
+		}
+		mnr = ri.nr;
+
+		pfctl_print_eth_rule_counters(&rule, opts);
+		for (nr = 0; nr < mnr; ++nr) {
+			struct pfctl_eth_ruleset_info	rs;
+
+			if (pfctl_get_eth_ruleset(dev, npath, nr, &rs))
+				err(1, "DIOCGETETHRULESET");
+			INDENT(depth, !(opts & PF_OPT_VERBOSE));
+			printf("anchor \"%s\" all {\n", rs.name);
+			pfctl_show_eth_rules(dev, npath, opts,
+					format, rs.name, depth + 1, 0);
+			INDENT(depth, !(opts & PF_OPT_VERBOSE));
+			printf("}\n");
+		}
+		path[len] = '\0';
+		return (0);
+	}
 
 	if (pfctl_get_eth_rules_info(dev, &info, path)) {
 		warn("DIOCGETETHRULES");
@@ -1141,7 +1194,7 @@ pfctl_show_eth_rules(int dev, char *path, int opts, enum pfctl_show format,
 		pfctl_print_eth_rule_counters(&rule, opts);
 		if (brace) {
 			pfctl_show_eth_rules(dev, path, opts, format,
-			    p, depth + 1);
+			    p, depth + 1, rule.anchor_wildcard);
 			INDENT(depth, !(opts & PF_OPT_VERBOSE));
 			printf("}\n");
 		}
@@ -2988,13 +3041,15 @@ main(int argc, char *argv[])
 			pfctl_show_limits(dev, opts);
 			break;
 		case 'e':
-			pfctl_show_eth_rules(dev, path, opts, 0, anchorname, 0);
+			pfctl_show_eth_rules(dev, path, opts, 0, anchorname, 0,
+			    0);
 			break;
 		case 'a':
 			opts |= PF_OPT_SHOWALL;
 			pfctl_load_fingerprints(dev, opts);
 
-			pfctl_show_eth_rules(dev, path, opts, 0, anchorname, 0);
+			pfctl_show_eth_rules(dev, path, opts, 0, anchorname, 0,
+			    0);
 
 			pfctl_show_nat(dev, path, opts, anchorname, 0);
 			pfctl_show_rules(dev, path, opts, 0, anchorname, 0, 0);
@@ -3023,7 +3078,7 @@ main(int argc, char *argv[])
 
 	if ((opts & PF_OPT_CLRRULECTRS) && showopt == NULL) {
 		pfctl_show_eth_rules(dev, path, opts, PFCTL_SHOW_NOTHING,
-		    anchorname, 0);
+		    anchorname, 0, 0);
 		pfctl_show_rules(dev, path, opts, PFCTL_SHOW_NOTHING,
 		    anchorname, 0, 0);
 	}