On 2022-10-07 at 06:13 EDT, Kristof Provost <k...@freebsd.org> wrote:
On 3 Oct 2022, at 18:13, Bryan Drewery wrote:So I’ve looked at this a bit more, and I am now going to back away from the whole anchor thing, and try to pretend I didn’t see any of the tentacled horrors that lurk within.I think there's still a problem here.pfctl -a '*' -sr works pfctl -a 'name/*' -sr does not.To give you an idea of the issues, loading the following ruleset: anchor "foo" { anchor "bar" { pass in } } does exactly what you’d expect: # pfctl -sr -a "*" anchor "foo" all { anchor "bar" all { pass in all flags S/SA keep state } } # pfctl -sr -a "foo/*" anchor "bar" all { pass in all flags S/SA keep state } However, if we `pfctl -Fr` to flush all rules: # pfctl -Fr rules cleared # pfctl -sr -a "*" # pfctl -sr -a "foo/*" anchor "bar" all { pass in all flags S/SA keep state }
How is one supposed to know which rules are really loaded in this case?Printing of rules with anchors being broken (I even get a segmentation fault with 'pfctl -a "*" -sr -vv') makes debugging rulesets very hard.
Partially, the question I also have is: is printing of rules broken, or is flushing of rules broken, or a third thing? =)
Unloading pf to actually delete the bar anchor, and then we set: anchor “foo” And then # echo "pass" | pfctl -g -f - -a "foo/bar" # pfctl -sr -a "*" anchor "foo" all { } # pfctl -sr -a "foo/*" # pfctl -sr -a "foo/bar" pass all flags S/SA keep stateThere are a lot of issues there, and it’ll take a lot of time and effort to root them out. My plan is to drink heavily and attempt to forget.Kristof
Thanks, Matteo
signature.asc
Description: PGP signature
