[alexandr.nedvedicky@oracle.com: PF Once rules are not removed from main anchor]

Alexandr Nedvedicky Sat, 21 Jun 2014 06:43:31 -0700

Hello,

resending to better alias as recommended by p...@benzedrine.cx subscribers.


regards
sasha

----- Forwarded message from Alexandr Nedvedicky 
<alexandr.nedvedi...@oracle.com> -----

From: Alexandr Nedvedicky <alexandr.nedvedi...@oracle.com>
To: p...@benzedrine.cx
Subject: PF Once rules are not removed from main anchor

Hello,

I'm not sure it is the right place to submit patches. Let me know if there is
better/more appropriate address for this.

during our testing we've found the once rules are not removed,
when used in main anchor.

during debugging we found the rules in main anchor have member anchor set to
NULL (pf_rule::anchor). This makes pf_purge_rule() function to bail out
to early without removing the rule from ruleset.

patch below fixed problem for us.

regards
sasha


---- cut here to get patch -------
Index: pf_ioctl.c
===================================================================
RCS file: /cvs/src/sys/net/pf_ioctl.c,v
retrieving revision 1.272
diff -u -r1.272 pf_ioctl.c
--- pf_ioctl.c  22 Apr 2014 14:41:03 -0000      1.272
+++ pf_ioctl.c  20 Jun 2014 14:26:22 -0000
@@ -312,7 +312,7 @@
 {
        u_int32_t                nr;
 
-       if (ruleset == NULL || ruleset->anchor == NULL)
+       if (ruleset == NULL)
                return;
 
        pf_rm_rule(ruleset->rules.active.ptr, rule);
@@ -325,7 +325,10 @@
        ruleset->rules.active.ticket++;
 
        pf_calc_skip_steps(ruleset->rules.active.ptr);
-       pf_remove_if_empty_ruleset(ruleset);
+
+       if (ruleset != &pf_main_ruleset) {
+               pf_remove_if_empty_ruleset(ruleset);
+       }
 }
 
 u_int16_t




Index: pf_ioctl.c
===================================================================
RCS file: /cvs/src/sys/net/pf_ioctl.c,v
retrieving revision 1.272
diff -u -r1.272 pf_ioctl.c
--- pf_ioctl.c  22 Apr 2014 14:41:03 -0000      1.272
+++ pf_ioctl.c  20 Jun 2014 14:26:22 -0000
@@ -312,7 +312,7 @@
 {
        u_int32_t                nr;

-       if (ruleset == NULL || ruleset->anchor == NULL)
+       if (ruleset == NULL)
                return;

        pf_rm_rule(ruleset->rules.active.ptr, rule);
@@ -325,7 +325,10 @@
        ruleset->rules.active.ticket++;

        pf_calc_skip_steps(ruleset->rules.active.ptr);
-       pf_remove_if_empty_ruleset(ruleset);
+
+       if (ruleset != &pf_main_ruleset) {
+               pf_remove_if_empty_ruleset(ruleset);
+       }
 }

 u_int16_t



----- End forwarded message -----

Index: pf_ioctl.c
===================================================================
RCS file: /cvs/src/sys/net/pf_ioctl.c,v
retrieving revision 1.272
diff -u -r1.272 pf_ioctl.c
--- pf_ioctl.c  22 Apr 2014 14:41:03 -0000      1.272
+++ pf_ioctl.c  20 Jun 2014 14:26:22 -0000
@@ -312,7 +312,7 @@
 {
        u_int32_t                nr;

-       if (ruleset == NULL || ruleset->anchor == NULL)
+       if (ruleset == NULL)
                return;

        pf_rm_rule(ruleset->rules.active.ptr, rule);
@@ -325,7 +325,10 @@
        ruleset->rules.active.ticket++;

        pf_calc_skip_steps(ruleset->rules.active.ptr);
-       pf_remove_if_empty_ruleset(ruleset);
+
+       if (ruleset != &pf_main_ruleset) {
+               pf_remove_if_empty_ruleset(ruleset);
+       }
 }

 u_int16_t

[alexandr.nedvedicky@oracle.com: PF Once rules are not removed from main anchor]

Reply via email to