From nobody Mon Feb 14 15:37:06 2022 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 95E1F19BC7E0 for ; Mon, 14 Feb 2022 15:37:06 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Jy7cy2Fbqz3LDg for ; Mon, 14 Feb 2022 15:37:06 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 2A11C114EE for ; Mon, 14 Feb 2022 15:37:06 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 21EFb6Yh042453 for ; Mon, 14 Feb 2022 15:37:06 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 21EFb6x6042452 for bugs@FreeBSD.org; Mon, 14 Feb 2022 15:37:06 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 260973] pf: firewall rules stop matching when vnet jails share interface names with the host Date: Mon, 14 Feb 2022 15:37:06 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 13.0-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1644853026; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=SfivGiebXNKYGszH6tBHrCF75CxksqxxJbuiNsryNq4=; b=RhdS5ZKKaa0jxEL58M2njiZkhVJVymDo5jP8KDbBthgibaCr7+vin8/votuChyYtZhfgF0 CiYGRMj1uwJsXDsLQzWE0xSkK4FlNWZgqG3X24+475YUrYVwr7LuzQEo1tVZaDbbjk/apv sWuGh0Gzfm4x15UpVm75ZEIJGwk/2F4zhmY4U7fdZJQN0bAdXw86YffyLNQLQv5RtK2gUk u1FclOsWTh7MR7JPuoo4a9H3iSZ+ueozCx8H86WDSk5mJpPHb8e1Jlr1CbtD7Q8hHedZjp DttnmWIBXAE9FCTCIGih31f0A8Qkc/4DAxjbxvDR2gwLYLZjeSINCtMP8F7uvw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1644853026; a=rsa-sha256; cv=none; b=AQKv5i6dggzaZmgQ5FNm3karyB9c7IgGWe3+n7PFKAk1e3rmQVLwQGTuZOtzBBlDaxkoAI 1T2LcydU1m50C3jwXuLKFkuG3/7UoPBOsrxkXpmbkqElYLWjXIfhN08XMwgU1MyeQXDeou RTJtX+HLhEa10HRDnbOB+PoRn/zvjLG/j/TKJ/xieAb+C4xZEqExCS2LluHck5B35VcUwh JJHSRw4xW+MGTmnExWef5oWY6INj/ocF5VrA1aqBN7TPXKH5B6CgDHdgVF/fUwtqGUk2BS P9FB1Rw+X6eRM+l3GkTy7T1c+L7KhbpUkiROvAycv5fNY7/mQroRWhwsPXby+Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D260973 --- Comment #3 from Kristof Provost --- With the disclaimer that this is entirely from memory and may be incorrect = or outdated: I'm aware of several somewhat related issues around interface naming. One is this, that when an interface is moved between vnets (e.g. when the jail it lives in goes away) there's no check for name collisions. That's non-trivial to solve, because the relevant code paths often have no ability to return errors if there's a name collision and the locking around interface names is also unclear (and likely wrong in several places). There's a loosely related issue with interface groups as well (see #218895, #202178). Now that interfaces can be renamed it's possible to have an inter= face group and an interface with the same name (and the interface need not even = be a member of the group). This has previously triggered panics in pf, as it ass= umes that interfaces and interface groups share a namespace (and this was historically the case, in that interfaces always ended with a number and gr= oups never did. The former is no longer the case, but the latter is still enforc= ed). This issue too is difficult to solve for the same reasons as the problem described in this bug (lack of error paths, unclear locking). When I looked at it last I estimated this to be a significant (plausibly multi-month) effort to fix. I do not expect to work on these problems any t= ime soon. --=20 You are receiving this mail because: You are the assignee for the bug.=