Page MenuHomeFreeBSD
Differential D42728

pfctl: Fix recursive printing of anchor labels
ClosedPublic
Actions

Authored by email_luiz.eng.br on Nov 23 2023, 10:50 AM.
Tags
None
Referenced Files
Unknown Object (File)
Mar 11 2024, 11:10 PM
Unknown Object (File)
Mar 11 2024, 11:09 PM
Unknown Object (File)
Mar 11 2024, 11:09 PM
Unknown Object (File)
Mar 8 2024, 3:37 AM
Unknown Object (File)
Dec 28 2023, 5:07 AM
Unknown Object (File)
Dec 21 2023, 1:08 PM
Unknown Object (File)
Dec 20 2023, 4:44 AM
Unknown Object (File)
Nov 28 2023, 11:16 PM
View All 9 Files
Subscribers
imp

Details

Reviewers
kp
Commits
rG0187875a6c0b: pfctl: Fix recursive printing of anchor labels
Summary

We recently noticed that the recursive printing of labels wasn't working like the recursive printing of rules.

When running pfctl -sr -a* we get a listing of all rules, including the ones inside anchors. On the other hand, when running pfctl -sl -a*, it would only print the labels in the root level, just like without the -a* argument.

As in our use-case we are interested on labels only and our labels are unique even between anchors, we didn't add indentation or hierarchy to the printing.

Sponsored by: InnoGames GmbH

Test Plan

Load a ruleset with anchors:

anchor lbpools_1 in on vtnet0 from any to 2001:db8::/32 {
  pass in quick proto tcp from any to port 443:443 label "pool_1237773_IPv6:$proto:$dstport"
  anchor "block" {
    block quick label "pool_1237773_IPv6:drop"
  }
}
pass quick from any to any label "anytoany"

Verify that pfctl -sl -a* will list all labels, including the ones inside the anchors:

# pfctl -sl -a*
pool_1237773_IPv6:tcp:443 0 0 0 0 0 0 0 0
pool_1237773_IPv6:drop 0 0 0 0 0 0 0 0
anytoany 0 0 0 0 0 0 0 0

instead of listing just the labels in the default level:

# pfctl -sl -a*
anytoany 0 0 0 0 0 0 0 0

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

email_luiz.eng.br created this revision.Nov 23 2023, 10:50 AM
Herald added a subscriber: imp. · View Herald TranscriptNov 23 2023, 10:50 AM
email_luiz.eng.br requested review of this revision.Nov 23 2023, 10:50 AM
kp added a comment.Nov 23 2023, 3:44 PM

At first glance that looks fairly similar to other such fixes for rule and ethernet rule printing.
I'm going to need a bit more time to actually understand this fully though, the anchor code always gives me headaches.

In the mean time it'd be really nice if you could add a basic test case for this, otherwise we risk accidentally breaking this again at some point.

This revision was not accepted when it landed; it landed in state Needs Review.Nov 27 2023, 8:38 PM
Closed by commit rG0187875a6c0b: pfctl: Fix recursive printing of anchor labels (authored by email_luiz.eng.br, committed by kp). · Explain Why
This revision was automatically updated to reflect the committed changes.
kp added a commit: rG0187875a6c0b: pfctl: Fix recursive printing of anchor labels.
email_luiz.eng.br added a comment.Nov 28 2023, 9:50 AM

I realized now that I forgot to send a reply here. I will write the tests sometime around this week and then send them on a new differential.
Thanks for the commit, @kp :)

kp added a comment.Nov 28 2023, 10:26 AM
In D42728#975974, @email_luiz.eng.br wrote:

I realized now that I forgot to send a reply here. I will write the tests sometime around this week and then send them on a new differential.
Thanks for the commit, @kp :)

I included a basic test with the commit too: https://cgit.freebsd.org/src/commit/?id=1d723c1e565e714e4192883d813ef81e97220f27

Revision Contents
Changeset List

PathSize
sbin/
pfctl/
8 lines

Diff 130625

View Options

sbin/pfctl/pfctl.c

Loading...