On 3 Oct 2022, at 18:13, Bryan Drewery wrote:
I think there's still a problem here.
pfctl -a '*' -sr works
pfctl -a 'name/*' -sr does not.
So I’ve looked at this a bit more, and I am now going to back away
from the whole anchor thing, and try to pretend I didn’t see any of
the tentacled horrors that lurk within.
To give you an idea of the issues, loading the following ruleset:
anchor "foo" {
anchor "bar" {
pass in
}
}
does exactly what you’d expect:
# pfctl -sr -a "*"
anchor "foo" all {
anchor "bar" all {
pass in all flags S/SA keep state
}
}
# pfctl -sr -a "foo/*"
anchor "bar" all {
pass in all flags S/SA keep state
}
However, if we `pfctl -Fr` to flush all rules:
# pfctl -Fr
rules cleared
# pfctl -sr -a "*"
# pfctl -sr -a "foo/*"
anchor "bar" all {
pass in all flags S/SA keep state
}
Unloading pf to actually delete the bar anchor, and then we set:
anchor “foo”
And then
# echo "pass" | pfctl -g -f - -a "foo/bar"
# pfctl -sr -a "*"
anchor "foo" all {
}
# pfctl -sr -a "foo/*"
# pfctl -sr -a "foo/bar"
pass all flags S/SA keep state
There are a lot of issues there, and it’ll take a lot of time and
effort to root them out. My plan is to drink heavily and attempt to
forget.
Kristof
