Hello,
few users on Solaris don't like to read warning 'Anchor or Ruleset' does not
exist:
# echo 'pass' |pfctl -a foo -f -
# pfctl -a foo -Fa
rules cleared
pfctl: Anchor or Ruleset does not exist.
#
the commands above did work well, the 'pfctl: Anchor ...' warning message
is kind of invalid. The code path, which ends up with warning, starts in
pfct main() function:
2518 case 'a':
2519 pfctl_clear_rules(dev, opts, anchorname);
2520 pfctl_clear_tables(anchorname, opts);
2521 if (ifaceopt && *ifaceopt) {
2522 warnx("don't specify an interface with
-Fall");
2523 usage();
2524 /* NOTREACHED */
2525 }
we call pfctl_clear_rules(), which flushes all rules from anchor. The anchor
becomes empty. If there are no tables attached to anchor, then
pf_remove_if_empty_ruleset() called on behalf of DIOCXCOMMIT also removes the
anchor from table. No wonder the pfctl_clear_tables() invoked later at line 2520
can not find anchor, which it is searching table to be flushed.
The patch below just swaps line 2519 and 2520 to put the operations to correct
order. With patch in place the warning is gone.
# echo 'pass' |pfctl -a foo -f -
# pfctl -a foo -Fa
0 tables deleted.
rules cleared
#
Also pfctl still prints warning in expected case:
# pfctl -sA
# pfctl -a foo -FT
pfctl: Anchor or Ruleset does not exist.
#
OK?
thanks and
regards
sasha
--------8<---------------8<---------------8<------------------8<--------
diff -r 215db23c6b05 src/sbin/pfctl/pfctl.c
--- src/sbin/pfctl/pfctl.c Mon Sep 25 13:38:48 2017 +0200
+++ src/sbin/pfctl/pfctl.c Tue Sep 26 11:15:26 2017 +0200
@@ -2516,8 +2516,8 @@ main(int argc, char *argv[])
pfctl_clear_stats(dev, ifaceopt, opts);
break;
case 'a':
+ pfctl_clear_tables(anchorname, opts);
pfctl_clear_rules(dev, opts, anchorname);
- pfctl_clear_tables(anchorname, opts);
if (ifaceopt && *ifaceopt) {
warnx("don't specify an interface with -Fall");
usage();
--------8<---------------8<---------------8<------------------8<--------
