Bug 252617

Summary: pfctl -a '*' -sn does not recursively print nat-anchors
Product: Base System Reporter: Guido Kollerie <guido>
Component: binAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed FIXED    
Severity: Affects Only Me CC: kp, ozkan.kirik
Priority: ---    
Version: 12.2-RELEASE   
Hardware: Any   
OS: Any   

Description Guido Kollerie 2021-01-12 20:31:54 UTC 
According to "man pfctl" one should use "-a '*'" to recursively print the
main ruleset. That does work for filter anchors (eg 'anchor') but not for
NAT anchors (eg 'nat-anchor').

Given the loaded ruleset:

    ext_if="lagg0"

    set skip on lo0
    scrub in

    nat-anchor vm 

    block in
    pass out

    pass in on $ext_if proto tcp from any to ($ext_if) port { ssh, domain, http, https }
    pass in on $ext_if proto udp to ($ext_if) port domain
    pass in on $ext_if inet proto icmp to ($ext_if) icmp-type { unreach, redir, timex, echoreq }

    anchor vm 

Running:

    pfctl -a vm -f - <<EOT
    nat on lagg0 from vm-public:network to any -> (lagg0)
    pass in on vm-public
    EOT

should load the new NAT and filter rules into the appropriate anchor
positions. When we run:

    pfctl -a '*' -sr

The filter ruleset is properly recursively printed:

    scrub in all fragment reassemble
    block drop in all
    pass in on lagg0 proto tcp from any to (lagg0) port = ssh flags S/SA keep state
    pass in on lagg0 proto tcp from any to (lagg0) port = domain flags S/SA keep state
    pass in on lagg0 proto tcp from any to (lagg0) port = http flags S/SA keep state
    pass in on lagg0 proto tcp from any to (lagg0) port = https flags S/SA keep state
    pass in on lagg0 proto udp from any to (lagg0) port = domain keep state
    pass in on lagg0 inet proto icmp from any to (lagg0) icmp-type unreach keep state
    pass in on lagg0 inet proto icmp from any to (lagg0) icmp-type redir keep state
    pass in on lagg0 inet proto icmp from any to (lagg0) icmp-type timex keep state
    pass in on lagg0 inet proto icmp from any to (lagg0) icmp-type echoreq keep state
    pass out all flags S/SA keep state
    anchor "vm" all {
      pass in on vm-public all flags S/SA keep state
    }

But the NAT ruleset however is not:

    pfctl -a '*' -sn

prints:

    nat-anchor "vm" all

Only when we explicitly name the anchor, will the NAT ruleset be printed:

    pfctl -a vm -sn

prints:

    nat on lagg0 inet from 10.0.128.0/24 to any -> (lagg0) round-robin

I would have expected both "-a '*'" and "-a vm" to produce the same
output.
Comment 1 Kristof Provost freebsd_committer freebsd_triage 2022-03-05 18:13:35 UTC 
This is more of a missing feature than a bug. It turns out that the code required to recursively walk anchors was just never present for nat rules.
OpenBSD reworked things so that there's no longer a distinction between regular rules and nat rules, but we don't have those changes. 

This should work though: https://reviews.freebsd.org/D34455
Comment 2 commit-hook freebsd_committer freebsd_triage 2022-03-08 10:53:15 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=a20773c810814dd130ca1f0fbf08d27fea465555

commit a20773c810814dd130ca1f0fbf08d27fea465555
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2022-03-05 16:55:48 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2022-03-08 09:51:09 +0000

    pfctl: support recursive printing of nat rules

    PR:             252617
    MFC after:      1 week
    Differential Revision:  https://reviews.freebsd.org/D34455

 sbin/pfctl/pfctl.c | 41 ++++++++++++++++++++++++++++++++++-------
 1 file changed, 34 insertions(+), 7 deletions(-)
Comment 3 commit-hook freebsd_committer freebsd_triage 2022-03-15 15:21:04 UTC 
A commit in branch stable/12 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=f1a4505ee00b570fb7f5901adfcac490fcf74f7b

commit f1a4505ee00b570fb7f5901adfcac490fcf74f7b
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2022-03-05 16:55:48 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2022-03-15 02:52:37 +0000

    pfctl: support recursive printing of nat rules

    PR:             252617
    MFC after:      1 week
    Differential Revision:  https://reviews.freebsd.org/D34455

    (cherry picked from commit a20773c810814dd130ca1f0fbf08d27fea465555)

 sbin/pfctl/pfctl.c | 41 ++++++++++++++++++++++++++++++++++-------
 1 file changed, 34 insertions(+), 7 deletions(-)
Comment 4 commit-hook freebsd_committer freebsd_triage 2022-03-15 15:21:06 UTC 
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=4da31fbe58a43cfbd15350fc36c1e8357123b334

commit 4da31fbe58a43cfbd15350fc36c1e8357123b334
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2022-03-05 16:55:48 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2022-03-15 02:52:18 +0000

    pfctl: support recursive printing of nat rules

    PR:             252617
    MFC after:      1 week
    Differential Revision:  https://reviews.freebsd.org/D34455

    (cherry picked from commit a20773c810814dd130ca1f0fbf08d27fea465555)

 sbin/pfctl/pfctl.c | 41 ++++++++++++++++++++++++++++++++++-------
 1 file changed, 34 insertions(+), 7 deletions(-)