[Bug 262590] [pf] Anchor "blacklistd/*" not correctly shown in pfctl -a \* -s rules

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=262590

--- Comment #5 from Matteo Riondato <matteo@FreeBSD.org> ---
Yes, all of these work now, but the following still doesn't work, which is what
I meant to highlight in this issue, but I did not explain myself well.

1) Create the following pf.conf:

pass from any to any
anchor "parent/*"
block in proto tcp from any to any port 12345

2) Load the rules in this pf.conf: 

# pfctl -f pf.conf

3) Notice how the rules are already not printed correctly:

# pfctl -a \* -s rules
pass all flags S/SA keep state
anchor "*" all {
pfctl: DIOCGETRULES: Invalid argument
}
block drop in proto tcp from any to any port = 12345
#

4) Now create the following file child.pf:

block in proto udp from any to any port 23456
anchor child {
  block in proto icmp
}
block in proto tcp from any to any port 34567

5) Load the rules of child.pf into the "parent" rule:

# pfctl -a parent -f child.pf

6) Notice how the rules are not printed correctly, with the "child" anchor not
even being mentioned, but also none of the rules inside the "parent" anchor but
outside of "child"

pass all flags S/SA keep state
anchor "*" all {
pfctl: DIOCGETRULES: Invalid argument
}
block drop in proto tcp from any to any port = 12345


There are multiple issues here, but one of them is that the way the pointer p
is updatde around line 1250 of pfctl.c is not correct, and it is what is
causing the use of "*" instead of "parent" as anchorname in the next recursive
call to pfctl_show_rules, and it is such use that causes the "DIOGETRULES:
Invalid argument" error. Note that even fixing this specific issue about p
would not be sufficient, because the next call would still not be able to print
"child" and the rules in it.

-- 
You are receiving this mail because:
You are the assignee for the bug.