PF with subanchors possible bug
Boris Polevoy
vapcom at mail.ru
Fri Apr 28 08:42:15 UTC 2006
Hello, All!
Some possible bug in PF FreeBSD 6.0-RELEASE (same seems be in RELENG_6).
PF have strange behaviour with subanchors. Test configs:
pf.conf:
table <test> { 10.0.0.0/8 }
anchor "external" all
load anchor "external" from "pf.sub.conf"
pf.sub.conf:
anchor "internal"
load anchor "internal" from "pf.sub.sub.conf"
pf.sub.sub.conf:
pass in quick from <test> to any
Results:
# pfctl -q -f pf.conf
# pfctl -q -s rules
anchor "external" all
One anchor rule, as in pf.conf, but
# pfctl -q -s Anchors
external
internal
show two anchors in main ruleset.
# pfctl -q -s Anchors -v
external
external/internal
internal
Same as before with recurcive anchors layout. Anchors have correct rules:
# pfctl -q -s rules -a external
anchor "internal" all
# pfctl -q -s rules -a internal
pass in quick from <test> to any
This situation repeat in case PF direct control via ioctl(DIOCADDRULE).
During PF analis I have found in pf_table.c/pfr_attach_table():
struct pfr_ktable *kt, *rt;
struct pfr_table tbl;
struct pf_anchor *ac = rs->anchor;
...
if (ac != NULL)
strlcpy(tbl.pfrt_anchor, ac->name, sizeof(tbl.pfrt_anchor));
^^^^^^^^^
...
kt= pfr_lookup_table(&tbl);
if (kt == NULL) {
pfr_create_ktable(&tbl, time_second, 1);
...
In case ac->name == "internal", ac->path == "external/internal"
function pfr_create_ktable() lookup ruleset tbl.pfrt_anchor, don't find it,
and create new ruleset with name "internal". Seems this code must be:
if (ac != NULL)
strlcpy(tbl.pfrt_anchor, ac->path, sizeof(tbl.pfrt_anchor));
^^^^^^^^^
Is it bug or not?
With best regards
Boris Polevoy
More information about the freebsd-pf
mailing list