On 17 Oct 2022, at 19:37, Matteo Riondato wrote:
On 2022-10-07 at 06:13 EDT, Kristof Provost <k...@freebsd.org> wrote:
On 3 Oct 2022, at 18:13, Bryan Drewery wrote:
I think there's still a problem here.
pfctl -a '*' -sr works pfctl -a 'name/*' -sr does not.
So I’ve looked at this a bit more, and I am now going to back away
from the whole anchor thing, and try to pretend I didn’t see any of
the tentacled horrors that lurk within.
To give you an idea of the issues, loading the following ruleset:
anchor "foo" {
anchor "bar" {
pass in
}
}
does exactly what you’d expect:
# pfctl -sr -a "*"
anchor "foo" all {
anchor "bar" all {
pass in all flags S/SA keep state
}
}
# pfctl -sr -a "foo/*"
anchor "bar" all {
pass in all flags S/SA keep state
}
However, if we `pfctl -Fr` to flush all rules:
# pfctl -Fr
rules cleared
# pfctl -sr -a "*"
# pfctl -sr -a "foo/*"
anchor "bar" all {
pass in all flags S/SA keep state
}
How is one supposed to know which rules are really loaded in this
case?
Printing of rules with anchors being broken (I even get a segmentation
fault with 'pfctl -a "*" -sr -vv') makes debugging rulesets very hard.
`pfctl -a "*" -sr` should always produce the expected results, at least
as far as I know.
I’d be very interested in seeing a test case where that core dumps,
because that is indeed very annoying, and might be something I can fix.
Partially, the question I also have is: is printing of rules broken,
or is flushing of rules broken, or a third thing? =)
To the extent that I currently understand this problem I believe the
issue is that we’re not always stepping into child anchors to print
them. I believe they do get evaluated when the rules are processed. So
it’s the printing that’s broken.
The flushing is .. not broken, but may not do what you’d expect. When
we flush we only flush the root anchor, and other anchors can remain. I
think that’s the main source of the strange behaviour I’ve
described.
Best regards,
Kristof
