Re: pfctl always prints warning when flushes ruleset

Tue, 26 Sep 2017 03:13:51 -0700 

On Tue, Sep 26, 2017 at 11:15 +0200, Alexandr Nedvedicky wrote:
> Hello,
> 
> few users on Solaris don't like to read warning 'Anchor or Ruleset' does not
> exist:
> 
>     # echo 'pass' |pfctl -a foo -f -
>     # pfctl -a foo -Fa
>     rules cleared
>     pfctl: Anchor or Ruleset does not exist.
>     # 
> 
> the commands above did work well, the 'pfctl: Anchor ...' warning message
> is kind of invalid. The code path, which ends up with warning, starts in
> pfct main() function:
> 
> 2518                 case 'a':
> 2519                         pfctl_clear_rules(dev, opts, anchorname);
> 2520                         pfctl_clear_tables(anchorname, opts);
> 2521                         if (ifaceopt && *ifaceopt) {
> 2522                                 warnx("don't specify an interface with 
> -Fall");
> 2523                                 usage();
> 2524                                 /* NOTREACHED */
> 2525                         }
> 
> we call pfctl_clear_rules(), which flushes all rules from anchor. The anchor
> becomes empty. If there are no tables attached to anchor, then
> pf_remove_if_empty_ruleset() called on behalf of DIOCXCOMMIT also removes the
> anchor from table. No wonder the pfctl_clear_tables() invoked later at line 
> 2520
> can not find anchor, which it is searching table to be flushed.
> 
> The patch below just swaps line 2519 and 2520 to put the operations to correct
> order. With patch in place the warning is gone.
> 
>     # echo 'pass' |pfctl -a foo -f -
>     # pfctl -a foo -Fa
>     0 tables deleted.
>     rules cleared
>     # 
> 
> Also pfctl still prints warning in expected case:
>     # pfctl -sA
>     # pfctl -a foo -FT
>     pfctl: Anchor or Ruleset does not exist.
>     #
> 
> OK?
>

Please make sure a pfctl regress doesn't run into issues with this
diff.  Otherwise OK mikeb.

> thanks and
> regards
> sasha
> 
> --------8<---------------8<---------------8<------------------8<--------
> diff -r 215db23c6b05 src/sbin/pfctl/pfctl.c
> --- src/sbin/pfctl/pfctl.c      Mon Sep 25 13:38:48 2017 +0200
> +++ src/sbin/pfctl/pfctl.c      Tue Sep 26 11:15:26 2017 +0200
> @@ -2516,8 +2516,8 @@ main(int argc, char *argv[])
>                         pfctl_clear_stats(dev, ifaceopt, opts);
>                         break;
>                 case 'a':
> +                       pfctl_clear_tables(anchorname, opts);
>                         pfctl_clear_rules(dev, opts, anchorname);
> -                       pfctl_clear_tables(anchorname, opts);
>                         if (ifaceopt && *ifaceopt) {
>                                 warnx("don't specify an interface with 
> -Fall");
>                                 usage();
> --------8<---------------8<---------------8<------------------8<--------
> 
> 
> 
> 
>

Reply via email to