Hi,
I have been fiddling with pfctl(8) source code for a few days.
Look at the following ruleset:
[EMAIL PROTECTED] ~]# pfctl -a node -f - <<EOF
> block from 1.1.1.1
> anchor leaf
> EOF
[EMAIL PROTECTED] ~]# pfctl -a node/leaf -f - <<EOF
> block from 1.1.1.2
> EOF
[EMAIL PROTECTED] ~]# pfctl -f - <<EOF
> anchor node
> anchor {
> block from 1.1.2.1
> anchor {
> block from 1.1.2.2
> }
> }
> EOF
We have basically two intermediate anchors, one named "node" and the
other being anonymous. Each of them contains another anchor,
respectively named and anonymous. I would expect something like:
% [EMAIL PROTECTED] ~]# pfctl -s A -v
% _1
% _1/_2 (or alternatively _1/_1)
% node
% node/leaf
However I get the following output:
% [EMAIL PROTECTED] ~]# pfctl -s A -v
% _1
% _1/_1
% _1/_1/_2
% _1/_2
% node
% node/leaf
Moreover I've added a debugging printf(3) to see the content of
``pr.anchor_call''. Here is the output:
% [EMAIL PROTECTED] ~]# pfctl -a \* -s r
% DEBUG: anchor_call: node
% anchor "node" all {
% block drop inet from 1.1.1.1 to any
% DEBUG: anchor_call: leaf
^^^^
% anchor "leaf" all {
% block drop inet from 1.1.1.2 to any
% }
% }
% DEBUG: anchor_call: _1
% anchor all {
% block drop inet from 1.1.2.1 to any
% DEBUG: anchor_call: _1/_2
^^^^^
% anchor all {
% block drop inet from 1.1.2.2 to any
% }
% }
As you can see, the nested anonymous anchor is not called like the
nested named anchor.
Is it a bug or a feature? I suppose this is a feature, as there is a
special case to handle this in pfctl_show_rules(), but I didn't manage
to understand the purpose of it.
Any clue would be welcome.
Regards,
--
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
