Re: PF Once rules are not removed from main anchor

2014-06-21 Thread Peter N. M. Hansteen 
Alexandr Nedvedicky alexandr.nedvedi...@oracle.com writes:

 I'm not sure it is the right place to submit patches. Let me know if there is
 better/more appropriate address for this.

I would think t...@openbsd.org would be a more direct route to the
currently active PF developers and the OpenBSD developers in general,
but quite possibly some of the relevant developers read this as well.

- P
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

PF Once rules are not removed from main anchor

2014-06-20 Thread Alexandr Nedvedicky 
Hello,

I'm not sure it is the right place to submit patches. Let me know if there is
better/more appropriate address for this.

during our testing we've found the once rules are not removed,
when used in main anchor.

during debugging we found the rules in main anchor have member anchor set to
NULL (pf_rule::anchor). This makes pf_purge_rule() function to bail out
to early without removing the rule from ruleset.

patch below fixed problem for us.

regards
sasha


 cut here to get patch ---
Index: pf_ioctl.c
===
RCS file: /cvs/src/sys/net/pf_ioctl.c,v
retrieving revision 1.272
diff -u -r1.272 pf_ioctl.c
--- pf_ioctl.c  22 Apr 2014 14:41:03 -  1.272
+++ pf_ioctl.c  20 Jun 2014 14:26:22 -
@@ -312,7 +312,7 @@
 {
u_int32_tnr;
 
-   if (ruleset == NULL || ruleset-anchor == NULL)
+   if (ruleset == NULL)
return;
 
pf_rm_rule(ruleset-rules.active.ptr, rule);
@@ -325,7 +325,10 @@
ruleset-rules.active.ticket++;
 
pf_calc_skip_steps(ruleset-rules.active.ptr);
-   pf_remove_if_empty_ruleset(ruleset);
+
+   if (ruleset != pf_main_ruleset) {
+   pf_remove_if_empty_ruleset(ruleset);
+   }
 }
 
 u_int16_t



Index: pf_ioctl.c
===
RCS file: /cvs/src/sys/net/pf_ioctl.c,v
retrieving revision 1.272
diff -u -r1.272 pf_ioctl.c
--- pf_ioctl.c  22 Apr 2014 14:41:03 -  1.272
+++ pf_ioctl.c  20 Jun 2014 14:26:22 -
@@ -312,7 +312,7 @@
 {
u_int32_tnr;

-   if (ruleset == NULL || ruleset-anchor == NULL)
+   if (ruleset == NULL)
return;

pf_rm_rule(ruleset-rules.active.ptr, rule);
@@ -325,7 +325,10 @@
ruleset-rules.active.ticket++;

pf_calc_skip_steps(ruleset-rules.active.ptr);
-   pf_remove_if_empty_ruleset(ruleset);
+
+   if (ruleset != pf_main_ruleset) {
+   pf_remove_if_empty_ruleset(ruleset);
+   }
 }

 u_int16_t