Re: once rules fix

Tue, 05 Mar 2019 07:48:12 -0800 

Thanks! Diff makes sense, see comments inline.  I confirm that this
restores intended behaviour and regress is fine as well.

With those addressed OK kn;  or I take care of it after getting an OK.
sashan?

On Tue, Mar 05, 2019 at 04:31:40AM -0800, petr.hoffm...@oracle.com wrote:
> @@ -913,7 +913,33 @@ anchorrule       : ANCHOR anchorname dir quick interface 
> af proto fromto
>                                           "rules must specify a name");
>                                       YYERROR;
>                               }
> +
> +                             /*
> +                              * Don't make non-brace anchors part of the 
> main anchor pool.
> +                              */
> +                             if ((r.anchor = calloc(1, sizeof(*r.anchor))) 
> == NULL) {
> +                                     err(1, "anchorrule: calloc");
> +                             }
> +                             pf_init_ruleset(&r.anchor->ruleset);
> +                             r.anchor->ruleset.anchor = r.anchor;
> +                             if (strlcpy(r.anchor->path, $2,
> +                                 sizeof(r.anchor->path)) >= 
> sizeof(r.anchor->path)) {
> +                                     errx(1, "anchorrule: strlcpy");
> +                             }
> +                             if ((p = strrchr($2, '/')) != NULL) {
> +                                     if (strlen(p) == 1) {
> +                                             yyerror("anchorrule: bad anchor 
> name %s",
> +                                                 $2);
> +                                             YYERROR;
> +                                     }
> +                             } else
> +                                     p = (char *)$2;
This cast is not needed.

> @@ -5875,7 +5900,7 @@ int
>  filteropts_to_rule(struct pf_rule *r, struct filter_opts *opts)
>  {
>       if (opts->marker & FOM_ONCE) {
> -             if (r->action != PF_PASS && r->action != PF_MATCH) {
> +             if ((r->action != PF_PASS && r->action != PF_DROP) || 
> r->anchor) {
`PF_MATCH' -> `PF_DROP' is obviously correct here;  I made this
copy/pasta mistake in parse.y revision 1.682:

        date: 2018/07/16 08:29:08;  author: kn;  state: Exp;  lines: +11 -29;
        reduce duplicate code, fix typo/free correct buffer

        In filteropts_to_rule():

        * Merge `once' handling from `anchorrule' and `pfrule'
        * Remove/shorten duplicate code block
        * Fix typo I introduced with r1.678 that frees the wrong buffer (twice)

        OK sashan

> @@ -1112,35 +1112,13 @@ pfctl_show_limits(int dev, int opts)
>  
>  /* callbacks for rule/nat/rdr/addr */
>  int
> -pfctl_add_rule(struct pfctl *pf, struct pf_rule *r, const char *anchor_call)
> +pfctl_add_rule(struct pfctl *pf, struct pf_rule *r)
Now that you touch the signature, you might as well make it void as it
always returns 0.

>  {
>       struct pf_rule          *rule;
>       struct pf_ruleset       *rs;
>       char                    *p;
`p' is now unused.

Reply via email to