Re: PF bug: pfctl not cleaning up after ioctl(DIOCADDRULE) failure?

Fri, 12 Sep 2025 12:30:10 -0700 

Hello,

> * Is the issue reproducible on OpenBSD?

    yes, OpenBSD behavior is same

> * Is there any reason why pfctl calls err() function
>   after ioctl(DIOCADDRULE) failure ?
> 

    the small change you are proposing 
> [pfctl.c]
> -             if (ioctl(pf->dev, DIOCADDRULE, &pr) == -1)
> -                     err(1, "DIOCADDRULE");
> +               if (ioctl(pf->dev, DIOCADDRULE, &pr)) {
> +                       warnx("DIOCADDRULE");
> +                       return (1);
> +               }

    does not help much. the outcome is the memory held by
    transaction in kernel is released earlier. in current
    OpenBSD the memory is released with next call DIOXBEGIN
    on existing ruleset.

    I think the ROLLBACK of transaction is pointless here.
    hover you tired to load the second ruleset directly?
    this is what happens on my OpenBSD test system.
    I'm using pfctl with your suggested change:

        puffy# cat pf-2.conf
        set limit tables 3
        anchor A1 in inet all {
         pass in quick from <T1>
        }
        anchor A2 in inet all {
         pass in quick from <T1>
        }
        table <T1> persist { 1.2.3.4/24 }


        puffy# ./pfctl -f pf-2.conf
        pfctl: DIOCADDRULE: Invalid argument
        pfctl: Unable to load rules into kernel

    and this is what happens with pfctl I have installed on my system

        puffy# pfctl -f pf-2.conf
        pfctl: DIOCADDRULE: Invalid argument

    what is worth to note is the pfctl needs to create 4 tables
    when loads pf-2.conf ruleset. The tables are resolved with
    DIOCXCOMMIT operation when the tables which are not needed
    are released.


    the icotl loads two rulesets. each rule refers to table T1.
    however until commit happens the pf does not know both
    rules refer to the same table hence it keeps two table
    instances. One would think two tables should fit under
    the limit (which is set to 3). However there is a one more
    detail: each table found in anchor allocates ->prfkt_root table.
    so this is why pf-2.conf ruleset is doomed. and also the change
    you propose is futile.

I'm afraid implementation of more sensible behavior requires
a lot more work. What I'd like eventually do is to
make table a member of ruleset. pf in kernel keeps rulesets
and tables in their respective look up tables (rb-trees),
while pf.conf syntax (and pfctl option -a) kind of suggests
the table is part of anchor.

hope my explanation is reasonably clear.


good luck

thanks and
regards
sashan

Reply via email to