OpenBSD Journal

u2k20 Hackathon Report: Alexandr Nedvedicky on PF anchors work

Contributed by Peter N. M. Hansteen on from the puffing up for re-anchoring dept.

The first report from the just concluded u2k20 hackathon comes from Alexandr Nedvedicky (sashan@), who writes:
How to read a commit message (a.k.a. thank you Thomas for u2k20)

Commit messages just capture the brief summary of changes. Believe it or not, there is a story behind every single commit you may find in a project history. Especially if you read there a short phrase 'discussed with many' or 'input by many'. In cases like this you can always bet the story is not short.

I'd like to share one such story with you today. All 'commit stories' start with a bug report. This particular change is no exception. Everything started back in December 2018. A pf(4) user complained it was impossible to get rid of 'anonymous' anchors on their systems. The anchors with names "_1", "_1/_2/_3" were always left behind no matter what '-F' option was being used. I was not interested in creating a long story, hence I proposed a simple one-liner diff, expecting a short answer with 'OK'.

I did not like reading the first reply email from 'kn@', saying more work needed to be done if I wanted to get it fixed. The good thing was kn@ and I agreed the things need to get fixed, we were disagreeing on the how part: kn@ preferring systematic approach, versus me preferring a simple one-line hack. The first idea was to garbage collect unreferenced/orphaned anchors. The automatic garbage collector is hard and risky to implement. Instead of going that way I decided to take a different route: let's teach pfctl(8) to flush anchors recursively. With each new iteration of the change more people stepped in. I've received feedback on '-FNuke' option privately. I soon understood that 'Nuke' was not the right name.

Changing '-FNuke' to '-FUnconfigure' opens yet another possibility for small improvement. The idea was to use a single action to reset pf(4) back to a state like before the rules are loaded for the first time. As tedu@ pointed out there would be too much actions happening on behalf of single '-FUnconfigure' option. And that's how '-Freset' got born. The '-Freset' soon took off to create its own story.

The only remaining part to sort out was to find a better name for the '-FUnconfigure' action. Fortunately there is always someone around with a better idea. It was sthen@ this time. His suggestion to just re-use the existing "-a '*'" pfctl(8) option was indeed a finishing touch, which made all things fit together seamlessly.

Looking back everything could have be done with simple one-liner diff, which was just good enough for my particular use case. But the diff itself would not bring much improvement to pf(4). It feels so good to see, how quite a few people helped me to put stuff in shape, which brings us one step closer towards perfect pf(4).

Our story has been closed during the u2k20 hackathon in Uckermark. I'm happy kn@ and I both could make it to the same hackroom. Face to face discussion in the hackroom is always the fastest means of communication. Thomas did more than an excellent job to keep 14 hackers warm and fed. Being at Uckermark was so refreshing (at least for me). Although feeling 'being fresh again' is the very last thing one can expect to bring back home from hackathons. Thanks!

(Comments are closed)


Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]