[Bug 240130] Adding a pf anchor containing a "/" defines the anchor incorrectly
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Mon Aug 26 17:36:44 UTC 2019
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=240130
Bug ID: 240130
Summary: Adding a pf anchor containing a "/" defines the anchor
incorrectly
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: bin
Assignee: bugs at FreeBSD.org
Reporter: freebsd at tim.thechases.com
tl;dr: Simple reduced example
=============================
$ echo 'anchor "blacklistd/*"' | pfctl -nvf -
on OpenBSD, this outputs what I'd expect:
anchor "blacklistd/*" all
however on FreeBSD (tried 12-RELEASE-p10 here, and got corroboration from
"Evilham" on IRC for 13.0-CURRENT), this outputs
anchor "/*" all
where the anchor name has been stripped out. The "/" seems to cause the issue
since the following all produce the results I expect (whether useful, sensible,
or not):
$ echo 'anchor "blacklistd"' | pfctl -nvf -
$ echo 'anchor "blacklistd*"' | pfctl -nvf -
$ echo 'anchor "*"' | pfctl -nvf -
Longer details/backstory:
=========================
Was trying to figure out why blacklistd wasn't populating the anchor properly
with blocking rules. After a morning of troubleshooting, determined that
blacklistd was correctly interacting with sshd, and
/usr/libexec/blacklistd-helper was getting as far as invoking `pfctl` with the
(AFAIK) correct parameters, but pf didn't seem to have the anchor in place. I
tracked it down to the lack of a "blacklistd/*" anchor existing. So I
experimented with my pf.conf file stripping it down to the bare essentials of
just a "scrub in all" and that one 'anchor "blacklistd"' entry, only to see
that loading the pf.conf file still listed the only anchor as "/*" not
"blacklistd/*".
kevins91 on #freebsd in IRC said to create a PR and to CC kp@ so here it is.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list