Re: git: cfa1a1308709 - main - pfctl: fix recrusive printing of ethernet anchors

On 2022-10-07 at 06:13 EDT, Kristof Provost <kp@FreeBSD.org> wrote:

>>On 3 Oct 2022, at 18:13, Bryan Drewery wrote: 
>>>I think there's still a problem here.
>>>
>>>pfctl -a '*' -sr works 
>>>pfctl -a 'name/*' -sr does not.
>>>
>So I’ve looked at this a bit more, and I am now going to back away 
>from the whole anchor thing, and try to pretend I didn’t see any of 
>the tentacled horrors that lurk within.
>
>To give you an idea of the issues, loading the following ruleset:
>
>	anchor "foo" {
>	        anchor "bar" {
>	                pass in
>	        }
>	}
>
>does exactly what you’d expect:
>
>	# pfctl -sr -a "*"
>	anchor "foo" all {
>	  anchor "bar" all {
>	    pass in all flags S/SA keep state
>	  }
>	}
>	# pfctl -sr -a "foo/*"
>	anchor "bar" all {
>	  pass in all flags S/SA keep state
>	}
>
>However, if we `pfctl -Fr` to flush all rules:
>
>	# pfctl -Fr
>	rules cleared
>	# pfctl -sr -a "*"
>	# pfctl -sr -a "foo/*"
>	anchor "bar" all {
>	  pass in all flags S/SA keep state
>	}
>

How is one supposed to know which rules are really loaded in this case?

Printing of rules with anchors being broken (I even get a segmentation 
fault with 'pfctl -a "*" -sr -vv') makes debugging rulesets very hard.

Partially, the question I also have is: is printing of rules broken, or 
is flushing of rules broken, or a third thing? =)

>Unloading pf to actually delete the bar anchor, and then we set:
>
>	anchor “foo”
>
>And then
>
>	# echo "pass" | pfctl -g -f - -a "foo/bar"
>	# pfctl -sr -a "*"
>	anchor "foo" all {
>	}
>	# pfctl -sr -a "foo/*"
>	# pfctl -sr -a "foo/bar"
>	pass all flags S/SA keep state
>
>There are a lot of issues there, and it’ll take a lot of time and 
>effort to root them out. My plan is to drink heavily and attempt to 
>forget.
>
>Kristof 
Thanks,
Matteo