Bug 280834
| Summary: | pf: set skip on <interface> persists and can't be removed | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | Lorange <bsdlists917+freebsdbugzilla> | ||||
| Component: | kern | Assignee: | freebsd-pf (Nobody) <pf> | ||||
| Status: | New --- | ||||||
| Severity: | Affects Many People | CC: | emaste, kp, mike | ||||
| Priority: | --- | ||||||
| Version: | 14.1-RELEASE | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
|
Description
Lorange
2024-08-15 18:29:26 UTC
FYI, pfctl -Fall -f /etc/pf.conf seems to do the trick Created attachment 252785 [details]
add agrs to allow interface flag clearing
Not sure if notionally and functionally this is correct. But if you have something like
--- /tmp/pf.conf.on 2024-08-15 16:06:15.950332000 -0400
+++ /tmp/pf.conf.off 2024-08-15 16:06:18.927081000 -0400
@@ -1,4 +1,4 @@
-set skip on lo0
+#set skip on lo0
it seems to work
1{july04apu}# pfctl -f /tmp/pf.conf.on
0{july04apu}# pfctl -v -s Interfaces
No ALTQ support in kernel
ALTQ related functions disabled
all
bridge
bridge0
igc0
igc1
igc2
igc3
lo
lo0 (skip)
pflog
pflog0
tap
tap0
0{july04apu}# pfctl -f /tmp/pf.conf.o
pf.conf.off pf.conf.on
0{july04apu}# pfctl -f /tmp/pf.conf.off
0{july04apu}# pfctl -v -s Interfaces
No ALTQ support in kernel
ALTQ related functions disabled
all
bridge
bridge0
igc0
igc1
igc2
igc3
lo
lo0 (skip)
pflog
pflog0
tap
tap0
0{july04apu}# pfctl -FInterfaces
pf: interface flags reset
0{july04apu}#
0{july04apu}# pfctl -v -s Interfaces
No ALTQ support in kernel
ALTQ related functions disabled
all
bridge
bridge0
igc0
igc1
igc2
igc3
lo
lo0
pflog
pflog0
tap
tap0
0{july04apu}#
(In reply to mike from comment #1) Thank you, pfctl -F all -f /etc/pf.conf did indeed work, so that is good to know about. It did freeze my connection to the server though so I had to reconnect (In reply to Lorange from comment #3) You have to reconnect as it flushes all the existing states, so its expected. I had a look at the OpenBSD src and they dont allow flushing just the interface flags either, so there might be good reasons why you dont want to do just that and it has to be in conjunction with a -F all. Sigh. set skip is the gift that keeps on giving. Try this: https://reviews.freebsd.org/D46311 A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=6a88e22728d285c4df17216515ce2b8d1e5a6835 commit 6a88e22728d285c4df17216515ce2b8d1e5a6835 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2024-08-16 12:55:31 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2024-08-19 16:02:15 +0000 pfctl: pfik_ifp is always NULL The pfik_ifp field is not provided by the kernel, it is always NULL. Do not check for it. This caused us to not clear the skip flag on interfaces, leading to unexpected behaviour when a 'set skip' was removed. PR: 280834 Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D46311 sbin/pfctl/pfctl.c | 7 +---- tests/sys/netpfil/pf/set_skip.sh | 61 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+), 6 deletions(-) |
