[Bug 295064] pfctl: rejects digit-prefixed interface names in dynamic address references

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 295064] pfctl: rejects digit-prefixed interface names in dynamic address references"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 295064] pfctl: rejects weird interface names in dynamic address references"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 295064] pfctl: rejects weird interface names in dynamic address references"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 06 May 2026 19:56:07 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=295064

            Bug ID: 295064
           Summary: pfctl: rejects digit-prefixed interface names in
                    dynamic address references
           Product: Base System
           Version: 15.1-STABLE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: hayzam@alchemilla.io

FreeBSD allows cloned interfaces such as bridges to be renamed to names that
begin with a digit. For example:

    # ifconfig bridge create
    bridge0

    # ifconfig bridge0 name 4igTLYjs

    # ifconfig 4igTLYjs
    4igTLYjs: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP>
metric 0 mtu 1500
            description: test
            options=10<VLAN_HWTAGGING>
            ether 58:9c:fc:10:f8:0a
            id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
            maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
            root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
            bridge flags=0<>
            groups: bridge
            nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

However, pfctl appears to reject the same interface name when it is used as a
dynamic interface-address reference in a PF NAT rule.

For example:

    nat on 4igTLYjs from 10.0.0.0/24 to any -> (4igTLYjs)

The interface name is accepted in the `on 4igTLYjs` portion of the rule, but
appears to fail when referenced as `(4igTLYjs)`.

Steps to reproduce:

1. Create a bridge interface:

       # ifconfig bridge create

2. Rename it to a name beginning with a digit:

       # ifconfig bridge0 name 4igTLYjs

3. Add the following PF rule:

       nat on 4igTLYjs from 10.0.0.0/24 to any -> (4igTLYjs)

4. Validate or load the ruleset:

       # pfctl -nf /etc/pf.conf

Actual result:

    pfctl rejects or fails to parse the rule when the digit-prefixed interface
name is used inside parentheses as a dynamic interface-address reference.

Expected result:

    pfctl should consistently accept interface names that can exist on the
system, including names beginning with digits, or the restriction should be
documented and enforced consistently elsewhere.

Notes:

This creates a mismatch between the network interface layer and PF. Software
that generates interface names automatically may create valid interface names
accepted by ifconfig, but those names can later fail when used in PF NAT rules.

This is especially easy to hit when using hash-derived interface names, since
the generated name may occasionally begin with a digit.

-- 
You are receiving this mail because:
You are the assignee for the bug.