Re: pf label $nr macro expand reproducable bug

From: Özkan KIRIK <ozkan.kirik_at_gmail.com>
Date: Wed, 22 Sep 2021 12:47:50 +0300
Hi Kristof,

I tried many things and I found the real problem to reproduce the bug.
Tested with the latest stable/12.
And also tested with Live CD without installing
(https://download.freebsd.org/ftp/snapshots/ISO-IMAGES/12.2/FreeBSD-12.2-STABLE-amd64-20210916-r370608-disc1.iso).
The result is same.

My determination is the problem in the rule optimizer of pf. You can
see the difference with / without ruleset optimization.
Without ruleset optimization, $nr macro expanding is true. otherwise false.

if the interface used in the rule, have multiple IP addresses that
rule optimizer removes lines then the rule number expanding fails. ie:

# cat pf.conf
pass quick on lo from lo:network to lo:network
pass quick all label "ruleNo:$nr"

# ifconfig lo0 inet 127.0.0.2/32 alias
# ifconfig lo0
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
    inet 127.0.0.1 netmask 0xff000000
    inet 127.0.0.2 netmask 0xffffffff
    groups: lo extra
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
# pfctl -f pf.conf
# pfctl -sr -vvv
_at_0 pass quick on lo inet6 from ::1 to ::1 flags S/SA keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 3694 State Creations: 0     ]
_at_1 pass quick on lo inet from 127.0.0.0/8 to 127.0.0.0/8 flags S/SA keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 3694 State Creations: 0     ]
_at_2 pass quick all flags S/SA keep state label "ruleNo:5"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 3694 State Creations: 0     ]

# pfctl -o none -f /antikor/etc/pf/x.conf
# pfctl -sr -vvv
_at_0 pass quick on lo0 inet6 from ::1 to ::1 flags S/SA keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 5959 State Creations: 0     ]
_at_1 pass quick on lo0 inet from 127.0.0.0/8 to 127.0.0.0/8 flags S/SA keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 5959 State Creations: 0     ]
_at_2 pass quick on lo0 inet from 127.0.0.0/8 to 127.0.0.2 flags S/SA keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 5959 State Creations: 0     ]
_at_3 pass quick on lo0 inet from 127.0.0.2 to 127.0.0.0/8 flags S/SA keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 5959 State Creations: 0     ]
_at_4 pass quick on lo0 inet from 127.0.0.2 to 127.0.0.2 flags S/SA keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 5959 State Creations: 0     ]
_at_5 pass quick all flags S/SA keep state label "ruleNo:5"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 5959 State Creations: 0     ]

Thank you

On Sat, Sep 18, 2021 at 11:10 AM Kristof Provost <kp_at_freebsd.org> wrote:
>
> On 15 Sep 2021, at 9:43, Özkan KIRIK wrote:
> > I'm using FreeBSD stable/12.
> > I've tested this situation on stable/12 both 0f97f2a1857a (Jul 26
> > 2021) and ebb3327d09ce (Sep 14) build.
> >
> > label $nr macro is works as expected for most of rules. But with the
> > example below $nr macro was expanded incorrectly. Outputs are below.
> >
> > If you need, I can open a PR.
> >
> > # ifconfig -g lo
> > lo0
> >
> > Experiment #1: The right output should be "ruleNo:2", but system
> > expands as "ruleNo:257".
> >
> I can’t reproduce this, either on main or on stable/12.
>
> Br,
> Kristof
Received on Wed Sep 22 2021 - 09:47:50 UTC

Original text of this message