Created attachment 151018 [details] pf inline anchor path fix When nesting inline anchors, they simply dont work. In OpenBSD this has been fixed long time ago: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sbin/pfctl/pfctl.c?rev=1.300&content-type=text/x-cvsweb-markup
Any updates on this bug report?
(In reply to krichy from comment #0) The bug is still present. I tested it in 10.3, but the relevant pfctl code is the same in head. The single line patch attached to the original PR solves the problem. Please, could it be committed?
Do you have an example of a pf.conf that does not work? What does it do that it's not supposed to or what does it not do that it's supposed to do?
(In reply to Kristof Provost from comment #3) This pf.conf should block ping 127.0.0.1, but it does not: anchor on ! vboxnet0 { anchor on ! vboxnet1 { block on lo0 proto icmp all } } If I move the "block" line out of the inner anchor, it starts to block packets.
A commit references this bug: Author: kp Date: Thu Nov 10 18:41:44 UTC 2016 New revision: 308486 URL: https://svnweb.freebsd.org/changeset/base/308486 Log: pfctl: fix nested inline anchors Import the OpenBSD fix for nested inline anchors. PR: 196314 Submitted by: krichy@cflinux.hu Obtained from: OpenBSD Changes: head/sbin/pfctl/pfctl.c
Created attachment 177689 [details] more appropriate patch This patch removes dead code also.
I am on releng 11.2 and am experiencing the same problem. Filter rules contained within nested inline anchors are ineffective. The following pf.conf that is similar in structure to the example shown in pf.conf(5) section ANCHORS should allow ports time and daytime to be accessible, but only time port can be reached: anchor "an1" { pass in quick proto tcp to port time anchor "an2" { pass in quick proto tcp to port daytime } } It works as expected as soon as you turn the inner anchor into a regular (non-inline) anchor and load it's contents either using pfctl or via load anchor "an2" from "file" I also tested whether it makes any difference when the outer anchor is a regular anchor, but it doesn't. Result is the same. The only place where rules contained within an inline anchor work as expected is when the inline anchor is directly attached to the main ruleset.
A commit references this bug: Author: kp Date: Sat Mar 2 12:30:59 UTC 2019 New revision: 344720 URL: https://svnweb.freebsd.org/changeset/base/344720 Log: pf tests: Test for nested inline anchor issue PR: 196314 MFC after: 1 week Changes: head/tests/sys/netpfil/pf/pass_block.sh
A commit references this bug: Author: kp Date: Sat Mar 9 10:35:37 UTC 2019 New revision: 344967 URL: https://svnweb.freebsd.org/changeset/base/344967 Log: MFC r344720: pf tests: Test for nested inline anchor issue PR: 196314 Changes: _U stable/12/ stable/12/tests/sys/netpfil/pf/pass_block.sh