Hello,
This issue has been reported by one of our customers.
consider pf.conf comes with rules as follows:
anchor {
pass all
anchor {
block all
}
}
We load pf.conf to kernel and (pfctl -f pf.conf) and display what got loaded:
lumpy# ./pfctl -f /tmp/pf.conf
lumpy# ./pfctl -sr
anchor all {
pass all flags S/SA
anchor all {
block drop all
}
}
so far so good. Now let's flush the rules from kernel:
lumpy# ./pfctl -Fr
rules cleared
lumpy# ./pfctl -sr
lumpy#
However the underscore anchors are still there:
lumpy# ./pfctl -vsA
_1
_1/_2
lumpy#
I could not figure out any existing way to remove them, hence I'm proposing
small patch, which allows me to remove those 'underscore' anchors by doing
this:
lumpy# ./pfctl -a _1/_2 -Fr
rules cleared
lumpy# ./pfctl -a _1 -Fr
rules cleared
lumpy# ./pfctl -vsA
lumpy#
Does patch below make sense? Or are there some pitfalls I'm not aware of?
thanks and
regards
sashan
--------8<---------------8<---------------8<------------------8<--------
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -2445,7 +2445,16 @@ main(int argc, char *argv[])
warnx("anchors apply to -f, -F, -s, and -T only");
usage();
}
+
+ /*
+ * we want enable administrator to flush anonymous anchors,
+ * thus '_' should be allowed for '-Fr' only. Also make sure
+ * we fail in case of option combination as follows:
+ * pfctl -a _1 -Fr -f /some/rules.conf
+ */
if (mode == O_RDWR && tblcmdopt == NULL &&
+ (clearopt == NULL || *clearopt != 'r' ||
+ rulesopt != NULL) &&
(anchoropt[0] == '_' || strstr(anchoropt, "/_") != NULL))
errx(1, "anchor names beginning with '_' cannot "
"be modified from the command line");
