'Nested anonymous anchors internals'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-pf
Subject:    Nested anonymous anchors internals
From:       Jeremie Le Hen <jeremie () le-hen ! org>
Date:       2007-10-18 17:47:38
Message-ID: 20071018174738.GD43061 () obiwan ! tataz ! chchile ! org
[Download RAW message or body]

Hi,

I have been fiddling with pfctl(8) source code for a few days.

Look at the following ruleset:

[root@jarjarbinks ~]# pfctl -a node -f - <<EOF
> block from 1.1.1.1
> anchor leaf
> EOF
[root@jarjarbinks ~]# pfctl -a node/leaf -f - <<EOF
> block from 1.1.1.2
> EOF
[root@jarjarbinks ~]# pfctl -f - <<EOF
> anchor node
> anchor {
>   block from 1.1.2.1
>   anchor {
>     block from 1.1.2.2
>   }
> }
> EOF

We have basically two intermediate anchors, one named "node" and the
other being anonymous.  Each of them contains another anchor,
respectively named and anonymous.  I would expect something like:

% [root@jarjarbinks ~]# pfctl -s A -v
%   _1
%   _1/_2   (or alternatively _1/_1)
%   node
%   node/leaf

However I get the following output:

% [root@jarjarbinks ~]# pfctl -s A -v
%   _1
%   _1/_1
%   _1/_1/_2
%   _1/_2
%   node
%   node/leaf

Moreover I've added a debugging printf(3) to see the content of
``pr.anchor_call''.  Here is the output:

% [root@jarjarbinks ~]# pfctl -a \* -s r
% DEBUG: anchor_call: node
% anchor "node" all {
%   block drop inet from 1.1.1.1 to any
% DEBUG: anchor_call: leaf
                      ^^^^
%   anchor "leaf" all {
%     block drop inet from 1.1.1.2 to any
%   }
% }
% DEBUG: anchor_call: _1
% anchor all {
%   block drop inet from 1.1.2.1 to any
% DEBUG: anchor_call: _1/_2
                      ^^^^^
%   anchor all {
%     block drop inet from 1.1.2.2 to any
%   }
% }

As you can see, the nested anonymous anchor is not called like the
nested named anchor.

Is it a bug or a feature?  I suppose this is a feature, as there is a
special case to handle this in pfctl_show_rules(), but I didn't manage
to understand the purpose of it.

Any clue would be welcome.
Regards,
-- 
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic