[Bug 288197] [PATCH] fix pf_fallback_rules for multiple rules

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 288197] [PATCH] fix pf_fallback_rules for multiple rules"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 288197] [PATCH] /etc/rc.d/pf : fix pf_fallback_rules for multiple rules"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 288197] [PATCH] /etc/rc.d/pf : fix pf_fallback_rules for multiple rules"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 288197] [PATCH] /etc/rc.d/pf : fix pf_fallback_rules for multiple rules"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Sun, 13 Jul 2025 22:36:56 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=288197

            Bug ID: 288197
           Summary: [PATCH] fix pf_fallback_rules for multiple rules
           Product: Base System
           Version: 14.3-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: misc
          Assignee: bugs@FreeBSD.org
          Reporter: mike@jellydonut.org

Created attachment 262121
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=262121&action=edit
quoted $pf_fallback_rules fix

Found what appears to be a bug with pf_fallback_rules in /etc/rc.d/pf.
Attempting to use more than a single pf rule with this setting in /etc/rc.conf
fails on each pf start/restart attempt with a stdin syntax error on line 1
(ignore the "pf/etc/pf.conf:10 syntax error" -- that's me intentionally
breaking syntax in /etc/pf.conf to initiate the pf_fallback_rules to load):

## /etc/rc.conf
pf_fallback_rules_enable="YES"
pf_fallback_rules="
  block drop all
  pass quick all"

## dmesg -a
...
Enabling pf/etc/pf.conf:10: syntax error
pfctl: Syntax error in config file: pf rules not loaded
/etc/rc: WARNING: Unable to load /etc/pf.conf.
/etc/rc: WARNING: Loading fallback rules: 
  block drop all
  pass quick all
stdin:1: syntax error
pfctl: Syntax error in config file: pf rules not loaded
.
...


The rules are indeed valid, though passed incorrectly to pfctl via stdin as
near as I can tell in /etc/rc.d/pf, which has:

...
        else
                warn "Loading fallback rules: $pf_fallback_rules"
                echo $pf_fallback_rules | $pf_program -f - $pf_flags
        fi
...

Since the echo of $pf_fallback_rules is unquoted the line breaks are not
maintained which breaks pfctl ruleset syntax. Testing this subset of
/etc/rc.d/pf in /bin/sh did indicate the unqouted $pf_fallback_rules will fail
even if rules are valid when more than one rule is involved.

 $ pf_fallback_rules="
block all
pass in all"
 $ (set -x ; echo $pf_fallback_rules | pfctl -nvf - )
+ echo block all pass in all
+ pfctl -nvf -
stdin:1: syntax error
 $ (set -x ; echo "$pf_fallback_rules" | pfctl -nvf - )
+ echo '
block all
pass in all'
+ pfctl -nvf -
block drop all
pass in all flags S/SA keep state


Quoting the 'echo "$pf_fallback_rules"' in /etc/rc.d/pf does indeed fix the
issue in my environment. Alternatively setting IFS to null and echoing
$pf_fallback_rules unqouted also provides valid ruleset syntax for pfctl:

 $ (set -x ; IFS= ; echo $pf_fallback_rules | pfctl -nvf - )
+ IFS=''
+ echo '
block all
pass in all'
+ pfctl -nvf -
block drop all
pass in all flags S/SA keep state


I have 2 simple patches, one with quoted $pf_fallback_rules and an alternative
fix with the IFS setting change via subshell. In both cases I've also updated
rc.conf(5) to indicate that newlines should not be backslash-escaped when
they're quoted in /etc/rc.conf. I personally think the quoted fix1 is simpler
but I'm not sure exactly which is proper within the rc environment.

-- 
You are receiving this mail because:
You are the assignee for the bug.