Details

Reviewers

kp
emaste

Commits

rGb39a387442db: libpfctl: Fix displaying deeply nested anchors
rG1c8a554f757d: libpfctl: Fix displaying deeply nested anchors
rGa943a96a50ba: libpfctl: Fix displaying deeply nested anchors

Summary

Set the number of rulesets (i.e., anchors) directly attached to the
anchor and its path in pfctl_get_ruleset().

While here, add a test to document this behavior.

PR: 290478
Fixes: 041ce1d690f1 ("pfctl: recursively flush rules and tables")

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

jlduran created this revision.Sun, Oct 26, 2:29 AM

Herald added subscribers: vegeta_tuxpowered.net, glebius, melifaro and 2 others. · View Herald TranscriptSun, Oct 26, 2:29 AM

jlduran requested review of this revision.Sun, Oct 26, 2:29 AM

Harbormaster completed remote builds in B68122: Diff 165048.Sun, Oct 26, 2:29 AM

Remove patch file for bugzila.

Note that the previous behavior was:

$ pfctl -sA
foo
$ pfctl -a foo -sA
foo/bar
foo/baz

The new behavior (compatible with OpenBSD) is:

$ pfctl -sA
foo
foo/bar
foo/baz
$ pfctl -a foo -sA
foo/bar
foo/baz

Harbormaster completed remote builds in B68123: Diff 165049.Sun, Oct 26, 2:36 AM

Ignore stderr for now, it throws a bogus warning about an (ethernet) anchor not found (PR 280516).

Harbormaster completed remote builds in B68124: Diff 165059.Sun, Oct 26, 4:10 AM

jlduran added a child revision: D53360: pfctl: Do not warn if there is no Ethernet anchor.Sun, Oct 26, 12:59 PM

kp added inline comments.Mon, Oct 27, 4:26 PM

sbin/pfctl/pfctl.c
3029 ↗	(On Diff #165059)	I wonder if we shouldn't do this in libpfct's pfctl_get_ruleset() instead. Okay, it's a little silly to give the 'anchor' argument straight back to the caller, but on the other hand, it also doesn't make much sense to return only a partially completed struct pfioc_ruleset. Or perhaps we shouldn't be using struct pfioc_ruleset, but should be using a pfctl_ruleset that doesn't have the path field at all (and then use 'anchor' in later code here, rather than pr.path).

jlduran retitled this revision from pfctl: Fix displaying multiple nested anchors to libpfctl: Fix displaying deeply nested anchors.Mon, Oct 27, 7:52 PM

jlduran edited the summary of this revision. (Show Details)

Address suggestions:

Implement the fix in pfctl_get_ruleset()
Set both, the number of anchors, and the path in the struct
Extend the test as requested by the PR reporter. It now tests deeply nested anchors (NOT that we are encouraging users to take advantage of this possibility, but rather to avoid regressions)

Harbormaster completed remote builds in B68147: Diff 165165.Mon, Oct 27, 7:58 PM

kp accepted this revision.Tue, Oct 28, 9:55 AM

This revision is now accepted and ready to land.Tue, Oct 28, 9:55 AM

Closed by commit rGa943a96a50ba: libpfctl: Fix displaying deeply nested anchors (authored by jlduran). · Explain WhyTue, Oct 28, 11:49 AM

This revision was automatically updated to reflect the committed changes.

jlduran added a commit: rGa943a96a50ba: libpfctl: Fix displaying deeply nested anchors.

jlduran added a commit: rG1c8a554f757d: libpfctl: Fix displaying deeply nested anchors.Thu, Oct 30, 1:53 AM

cperciva added a commit: rGb39a387442db: libpfctl: Fix displaying deeply nested anchors.Thu, Oct 30, 4:37 AM