Home » Mailing list archives » openbsd-misc » 2007 » February » 26

Anchor naming / evaluation (naming mismatch)

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: Craig Barraclough <craig@...>
To: <misc@...>
Subject: Anchor naming / evaluation (naming mismatch)
Date: Monday, February 26, 2007 - 12:35 am

Having trouble sending this to pf@benzedrine list, so I'm sending to

misc@ instead

------

I got caught by an interesting situation recently, which I eventually

tracked down to the following situation.

The anchor in the main ruleset was given like:

anchor "test/*"

However the anchor was populated using just the name, e.g. like this:

load anchor "test" from "/tmp/test-r.anchor"

(In reality, it was being loaded from an external program)


The result of this was the contents of the anchor are visible through

pfctl, whether '-a "test/*"' or '-a test' are given, however the

contents of the anchor were never evaluated.

Output of 'pfctl -sA' just gives:

   test

Which doesn't offer any clues as to which syntax is used - "test" or

"test/*".


Simple test case:

----pf.conf----

nat-anchor "test/*"

rdr-anchor "test/*"

anchor "test/*"

load anchor "test" from "/tmp/test-r.anchor"

pass in label "main-ruleset"

pass all

----/tmp/test-r.anchor----

pass in quick label "anchor"

----END----


Run with these rules for a moment, and 'pfctl -vsl' / 'pfctl -vsl -a

"test"' output gives:

main-ruleset 35 72 8646 72 8646 0 0

anchor 0 0 0 0 0 0 0


Ie rule labeled "anchor" is not evaluated.


I'm not sure about the best way to handle this. Should "test" not be

allowed as an anchor name, if "test/*" is listed as an anchor, or should

"test" be evaluated if "test/*" is an anchor?


--

Craig
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
Anchor naming / evaluation (naming mismatch), Craig Barraclough, (Mon Feb 26, 12:35 am)