CVSROOT: /cvs
Module name: src
Changes by: sas...@cvs.openbsd.org 2023/08/10 10:44:04
Modified files:
sys/net : pf_table.c
regress/sys/net/pf_table: Makefile
Log message:
Table persistent flag (PFR_TFLAG_PERSIST) won't get set
by ioctl(2) operation if table exists already. The issue
has been noticed by Giannis Kapetanakis (_at_) edu.physics.uoc.gr.
Giannis noticed relayd(8) aborts unexpectedly when 'relay host'
gets disabled by 'relayctl host dis ...' command. To understand
what's going on we must look at the way how relayd(8) manages
its firewall configuration. If relay-host 'example' is enabled relayd(8)
inserts rule to anchor relayd/example. The rule looks somewhat
like this:
pass in from ... to ... rdr-to <example>
When the rule gets inserted to pf(4) the table 'example' is
created with flags:
lumpy# pfctl -a relayd/example -vg -sT
----r-- example relayd/example
r-flag indicates table is referred by rule only. In the next
step relayd(8) creates and populates table example. It asks
pf(4) to add a persistent flag (PFR_TFLAG_PERSIST), so table
survives flush operation of relayd/example ruleset on behalf
of 'relayctl host dis ...' command. relayd(8) exits via abort()
when table is gone with disable operation.
Giannis was patient enough so we could debug and fix issue.
The committed change has been tested by Giannis too.
OK kn@, bluhm@
