From nobody Wed Mar 16 12:22:50 2022 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id D35331A16127 for ; Wed, 16 Mar 2022 12:22:50 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KJTty4mV5z4fRF for ; Wed, 16 Mar 2022 12:22:50 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 842D2162C4 for ; Wed, 16 Mar 2022 12:22:50 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 22GCModQ097535 for ; Wed, 16 Mar 2022 12:22:50 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 22GCMoo2097534 for bugs@FreeBSD.org; Wed, 16 Mar 2022 12:22:50 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 262590] [pf] Anchor "blacklistd/*" not correctly shown in pfctl -a \* -s rules Date: Wed, 16 Mar 2022 12:22:50 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: misc X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: matteo@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter cc Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1647433370; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=zhSM1RsvxplWpbtNM4d2IuzAja02YAAwwnKIAOqf2zg=; b=pjCmXdlFUUg6FRJsUOvGeVFKjZOmwi63bk8parJPyaglmGlIUCByp7wdaDfC+fOH4BHmk0 I1oEsgCclpSbyF1g8dCEWY68SbfF/woqPer9TLvDjlbHjd6XN/2Lhl/k1JGg7StpqUP0km gtt1/K72uV/ISoS7QHIx8Tqxc+MVqQFOpkFjs37M7LzbsslT/OYF77qX5IlZ3a9HllVgOV 6npkPjd1y8gWqZyADTSDvAM03jJ2L1+0E1Ac+RVOgVLdFhORjf4ryjAYQwOeM51Ezs20oF CWBinUN6zwdjjpAZhah11lNhFfrowDIWYuEjIg5ksIz1PdThoEZ06yvBBLhNMQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1647433370; a=rsa-sha256; cv=none; b=eyylHY+W3z/z0bleO4v74nlhpy9owSwwVJu9HarBTQl1d0ukOhK8ejLGQnZ8bndHQsk6gV kCdn2sDpYOvfDpJSNXOTGBgRpC7oA4muhHYqaouZY5OrbopExE6I2pahVqZGZFJKGOrgCt 4c6F217FKwdCf+EqVbAWOzLnz+Amgi9WDp0MO2Atv6HIW3wfxoDnPv7EEzu34hNlwPjCIC toYSPkzqN8Fwd+5tvIpmYUSMQQaMqLz5ERMucpwutbCNEsLMLDFB3UFXxRzQ1a+HCeMkw0 xuBmnDm/2IZsFBhAXRcSHMVkkbIkHSC3m433vK1DVnjEQLHkSe2EoyPC+gyCzg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D262590 Bug ID: 262590 Summary: [pf] Anchor "blacklistd/*" not correctly shown in pfctl -a \* -s rules Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: misc Assignee: bugs@FreeBSD.org Reporter: matteo@FreeBSD.org CC: kp@freebsd.org (This may be related to #252617) Wildcards in anchor names do not seem to be correctly interpreted by pfctl. Steps to reproduce: 1) Start blacklistd, even with the default /etc/blacklistd.conf 2) Enable blacklistd in sshd_config (UseBlacklist yes), and reload sshd 2) Add 'anchor "blacklistd/*" as the first rule in your pf.conf 3) Reload the rules 4) Fake some wrong logins on ssh (e.g., ssh notauser@yourhost), to trigger = the blacklist Now, if I run "pfctl -a blacklistd -sA", I get=20 blacklistd/22 and if I run "pfctl -a blacklistd/22 -s rules, I get: block drop in quick proto tcp from to any port =3D ssh which is fine. But if I run "pfctl -a 'blacklistd/*' -s rules", I get no output, which see= ms weird. Finally, if I run "pfctl -a '*' -s rules", I get: anchor "*" all { pfctl: DIOCGETRULES: Invalid argument } ... other rules, none of which is about the blacklistd anchors. so either I'm confused by how to see the rules for all anchors (under an anchor, possibly), or the wildcard seems to be misinterpreted.=20 At this point I'm not even sure that the rules are loaded correctly, becaus= e I cannot verify it with pfctl. --=20 You are receiving this mail because: You are the assignee for the bug.=