From nobody Fri Oct 07 10:13:48 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MkPKW4VS2z4V0G3; Fri, 7 Oct 2022 10:13:51 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MkPKW3K9Lz3Y3p; Fri, 7 Oct 2022 10:13:51 +0000 (UTC) (envelope-from kp@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1665137631; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ie0gJCLlAb3mO0dYxIXNhLdEkLDaB877u5aJe601+5w=; b=I+maiX65/n7t49UleckLdmg1UxOGanOcxTlnhHDo+rvWzY/GyNKUgSBE0wAI9UENvyye+4 uLDwL+f0Y6z+CcDytviFJ2Ds/ZOr4b1+2F3AUgCiPrH+uDuI/ip9CnWkagOwACMzFWA546 5d/jKKMpEAH2p3qdEH+X6mIX6gOnuT7TQBLH57C4pTetC/vIz6MYiuyQXr6DYvYbRF76n9 3f6tjYagM8I7UUeQB3l0DhBjuqr1lm6qGhA5QhGpxYjqtz/b4XlxLrjGq98pN+M2ZzeXcg TxfMvESJu2p6eevI6akOlzKxdZWPLYyKEFtIz+Y56fQvz0kpqUAtrdgEtQIoww== Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mx1.codepro.be", Issuer "R3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 4MkPKW15Z5zcv8; Fri, 7 Oct 2022 10:13:51 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id 2C12D1B296; Fri, 7 Oct 2022 12:13:49 +0200 (CEST) From: Kristof Provost To: Bryan Drewery Cc: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org, matteo@freebsd.org Subject: Re: git: cfa1a1308709 - main - pfctl: fix recrusive printing of ethernet anchors Date: Fri, 07 Oct 2022 11:13:48 +0100 X-Mailer: MailMate (1.14r5852) Message-ID: <55FAE484-FD9E-4652-AD1D-45FBF3501CE8@FreeBSD.org> In-Reply-To: <46F2B94F-DBCB-4E55-8055-051393C900C8@FreeBSD.org> References: <202209061119.286BJnOV024965@gitrepo.freebsd.org> <3fd7be3f-90b1-ae87-1b4e-8b183acf1a9c@FreeBSD.org> <46F2B94F-DBCB-4E55-8055-051393C900C8@FreeBSD.org> List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_MailMate_147620AD-E998-4965-86EC-EBA94BAC3B8A_=" Content-Transfer-Encoding: 8bit ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1665137631; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ie0gJCLlAb3mO0dYxIXNhLdEkLDaB877u5aJe601+5w=; b=RhPt5xJLTyFE+NKM5ENIK7kxMZ4ZzryV1zBXB6/tpy3ptOFi7XjfDjepUa2Eg2quxzZ97f PBAuCAnuCQg4ioBZytGHfmWhjfO/NblyxJT/crSSoMgqyYbsAobJfp27vUbznqb7/UpnJx 34jXXTjdjRC0Z1DIizSzBMFnhpMK1uxYiXLFFOCLxDu4a1MSisoNfKkdYAqRAgLMA2YzYS +Kl2vJi3roI/0qQ0sFEUbfwj+Xc4zPzofOpqgSA74Ec+/FZx/nVXHAo7+hFKn4olB9Zhio VDdtJJO6Dnt6CvOPnQvUXt7XqZBLtTt5OblrPyPJZV6MXxEmWw5F7nIPgf3kXg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1665137631; a=rsa-sha256; cv=none; b=LrrDXIBtS/MnX0nuOEf4HXE2VYEHvdT/d5buv9EtfONNBIWFdNjZD1exiG/h2SUne1caE7 +Rarp3CHWjO3e0UIeN8sxtQ33ncNiBZhySJp3TR7L8tpcr4/1lNoVQujeQtbVUOwFIMglu k9pqxwz+8gbaKoSeRIiXDk4hHyCU/oEtrrMYQcsjUVmADRvrhN0H9cgAdmFqsdFY2aCQE1 pkkbsGA8N+MrKr723rJncg7pbNwBo2uL+QbAMr4brC78/8tP2PKz0oqAfyuT+LYO+sCt70 qey1j6PELf9xVRAQFFHFg4htpb0BkpbPmDkNASPF0JdV9Dcde2G/lRR3DyODVQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N --=_MailMate_147620AD-E998-4965-86EC-EBA94BAC3B8A_= Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit > On 3 Oct 2022, at 18:13, Bryan Drewery wrote: >> I think there's still a problem here. >> >> pfctl -a '*' -sr works >> pfctl -a 'name/*' -sr does not. >> So I’ve looked at this a bit more, and I am now going to back away from the whole anchor thing, and try to pretend I didn’t see any of the tentacled horrors that lurk within. To give you an idea of the issues, loading the following ruleset: anchor "foo" { anchor "bar" { pass in } } does exactly what you’d expect: # pfctl -sr -a "*" anchor "foo" all { anchor "bar" all { pass in all flags S/SA keep state } } # pfctl -sr -a "foo/*" anchor "bar" all { pass in all flags S/SA keep state } However, if we `pfctl -Fr` to flush all rules: # pfctl -Fr rules cleared # pfctl -sr -a "*" # pfctl -sr -a "foo/*" anchor "bar" all { pass in all flags S/SA keep state } Unloading pf to actually delete the bar anchor, and then we set: anchor “foo” And then # echo "pass" | pfctl -g -f - -a "foo/bar" # pfctl -sr -a "*" anchor "foo" all { } # pfctl -sr -a "foo/*" # pfctl -sr -a "foo/bar" pass all flags S/SA keep state There are a lot of issues there, and it’ll take a lot of time and effort to root them out. My plan is to drink heavily and attempt to forget. Kristof --=_MailMate_147620AD-E998-4965-86EC-EBA94BAC3B8A_= Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

On 3 Oct 2022, at 18:13, Bryan Drew= ery wrote:

I think there's still a problem here.

pfctl -a '*' -sr works
pfctl -a 'name/*' -sr does not.


So I=E2=80=99ve looked at this a bit more, and I am now g= oing to back away from the whole anchor thing, and try to pretend I didn=E2= =80=99t see any of the tentacled horrors that lurk within.

To give you an idea of the issues, loading the following = ruleset:

anchor "foo" {
        anchor "bar" {
                pass in
        }
}

does exactly what you=E2=80=99d expect:

# pfctl -sr -a "*"
anchor "foo" all {
  anchor "bar" all {
    pass in all flags S/SA keep state
  }
}
# pfctl -sr -a "foo/*"
anchor "bar" all {
  pass in all flags S/SA keep state
}

However, if we pfctl -Fr to flush all rules:=

# pfctl -Fr
rules cleared
# pfctl -sr -a "*"
# pfctl -sr -a "foo/*"
anchor "bar" all {
  pass in all flags S/SA keep state
}

Unloading pf to actually delete the bar anchor, and then = we set:

anchor =E2=80=9Cfoo=E2=80=9D

And then

# echo "pass" | pfctl -g -f - -a "foo/bar&q=
uot;
# pfctl -sr -a "*"
anchor "foo" all {
}
# pfctl -sr -a "foo/*"
# pfctl -sr -a "foo/bar"
pass all flags S/SA keep state

There are a lot of issues there, and it=E2=80=99ll take a= lot of time and effort to root them out. My plan is to drink heavily and= attempt to forget.

Kristof

--=_MailMate_147620AD-E998-4965-86EC-EBA94BAC3B8A_=--