DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 24th July 2010
sousa sousa is offline
New User
 
Join Date: Jan 2009
Posts: 3
Default Inline nested anchors issue

Hello,

I've been playing with anchors and ran into an issue.

Code:
 --------                               ------
|        |wpi0                     ath0|      |
| Laptop |-----------------------------|  AP  |
|        |192.168.2.60      192.168.2.1|      |
 --------                               ------
With this pf.conf on the access point, I can ping ath0 from a wireless client. The client has pf disabled.

Code:
set block-policy return
set skip on lo

block all
anchor "wireless" on ath0 {
    pass in all
}
If I [only] change the anchor as shown below, it still works.

Code:
anchor in {
    pass in all
}
When I nest anchors, it stops working.
Code:
anchor "wireless" on ath0 {
    anchor in {
        pass in all
    }
}
I'm unsure on whether this is a bug or if I'm missing something.
I did not try this on -current, only on 4.7-stable.

Any pointers/insights?

Thanks.
Reply With Quote
  #2   (View Single Post)  
Old 24th July 2010
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by sousa View Post
When I nest anchors, it stops working.
Code:
anchor "wireless" on ath0 {
    anchor in {
        pass in all
    }
}
Two questions:
  • What happens if you actually name the inner anchor? Yes, both pf.conf(5) and the Anchor section of the PF User's Guide, both state that inner anchors don't need to be named, but humour me...
  • Likewise, what happens when "in" above (colored in red...) is omitted?
Reply With Quote
  #3   (View Single Post)  
Old 24th July 2010
sousa sousa is offline
New User
 
Join Date: Jan 2009
Posts: 3
Default

Quote:
Originally Posted by ocicat View Post
Two questions:
  • What happens if you actually name the inner anchor?
  • Likewise, what happens when "in" above (colored in red...) is omitted?
Still doesn't work in both cases. Good suggestion, though. Thanks.
Reply With Quote
  #4   (View Single Post)  
Old 24th July 2010
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by sousa View Post
Still doesn't work in both cases.
...& your example is similar to the following thread found in the official misc@ archives:

http://marc.info/?t=110796618500002&r=1&w=2

Depending upon what kind of resolution you want, my suggestion would be to post on misc@ with as much detail as possible. With the rapid changes that Henning has been making to pf(4), it is unclear as to whether this is expected, unexpected, or not fully implemented. Bonus points will be given if testing is done on -current too.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
pfctl anchors manipulation clarification on 4.7 sgeorge OpenBSD Security 0 2nd July 2010 05:16 AM
PPPD issue. Tom NetBSD General 4 26th August 2009 03:59 PM
FFS permission issue marc OpenBSD General 2 2nd February 2009 07:31 PM
Possible SMP Issue? MetalHead OpenBSD General 1 25th November 2008 03:52 AM
RAM issue nikkon FreeBSD General 5 7th May 2008 04:26 AM


All times are GMT. The time now is 03:11 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick