From nobody Wed Sep 22 09:47:50 2021 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 61C79175B63D for ; Wed, 22 Sep 2021 09:48:03 +0000 (UTC) (envelope-from ozkan.kirik@gmail.com) Received: from mail-ua1-x935.google.com (mail-ua1-x935.google.com [IPv6:2607:f8b0:4864:20::935]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HDtl649XZz4nXX; Wed, 22 Sep 2021 09:48:02 +0000 (UTC) (envelope-from ozkan.kirik@gmail.com) Received: by mail-ua1-x935.google.com with SMTP id p9so1437805uak.4; Wed, 22 Sep 2021 02:48:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=7ssBh5CfdE4Pt3JtLVfafKo67awgMxlj/j0aWGVlfdo=; b=HxOnAd4pYgycshHUqBXkpfNzkMWafiIe+zSByycTUNBexC/i+afrNIJMztagNuyUQ1 cz9uIEDwWVaf490U21KH/TP6w0w2/GxDrRaqEsQJG37RSqP1uiZIomj6fJlPS4qQcxkw z7ejxzfNKCv5oEmg8T4gYP5wtBqlJm8npb9dLZVQWZx97t0X5AM98Z5eE3xk3pQKs73e ym5TnZYZHOMQfI3bWU0y8A6HKRR2P8M7mPWiwme+MubDROAIXwJOw1NbAVmxVovmkjra sUcbyV7SZRxD8bbIpT8GRi3NMBjzN7xLj1Mr5ItlZg6ynHMaeGON/SYXOsSrqk6zU/0G eocA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=7ssBh5CfdE4Pt3JtLVfafKo67awgMxlj/j0aWGVlfdo=; b=Hz4DPYWtdvgvKvGXG6+Gf10YZpUCb6om5dwcalxxv5TpaCOeVyOberWMkZXDUvxM7q 9avFHj4ixDF5KoBAb98EyDwYZzAmUJD8MMKM0a9/7jx9uCTUIK/8i4cj6Hj8K1GP5gAj kI0byebZS13pdTqTC+0Rl4EwJJaVGMIUMqCqwHzX1PXnMIV/5P8TOVLa3CaI8V4dipo+ 52wbEmtaCXq7RSAVuiAeRHO7TZ4qTU0l9pyIEyrF+gHLyYFyYVS2slL9fIwypOtahl31 joqmnHvhkzvyb5N0OpLxqx6NFYMyCEGCS5DoTp0q72JKWIrb4pbT/rxwnu37k+rp1v9Z 97gw== X-Gm-Message-State: AOAM533OtMq4Xkv5Twjb3A+jJa6HAybXahQapQG7g4/mu817upJiOknr BkcmFWO6zbniDWMixiywwEF8DFlLJOkBlf8r58SNM5XtFbk= X-Google-Smtp-Source: ABdhPJyTjLci8Etn1q02uTx2YmgmKF6vuhL3S8U28PcYi5OWP64Qz2qJoPfhjwb/tgQpmmwkzJGj6oQRFnRCWhvhAgY= X-Received: by 2002:ab0:73d7:: with SMTP id m23mr20567828uaq.118.1632304081522; Wed, 22 Sep 2021 02:48:01 -0700 (PDT) List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 References: <90E32279-76C0-4D81-B209-BE85A181F874@FreeBSD.org> In-Reply-To: <90E32279-76C0-4D81-B209-BE85A181F874@FreeBSD.org> From: =?UTF-8?B?w5Z6a2FuIEtJUklL?= Date: Wed, 22 Sep 2021 12:47:50 +0300 Message-ID: Subject: Re: pf label $nr macro expand reproducable bug To: Kristof Provost Cc: freebsd-pf@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4HDtl649XZz4nXX X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=HxOnAd4p; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of ozkankirik@gmail.com designates 2607:f8b0:4864:20::935 as permitted sender) smtp.mailfrom=ozkankirik@gmail.com X-Spamd-Result: default: False [-3.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[text/plain]; SUBJECT_HAS_CURRENCY(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; MID_RHS_MATCH_FROMTLD(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::935:from]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-ThisMailContainsUnwantedMimeParts: N Hi Kristof, I tried many things and I found the real problem to reproduce the bug. Tested with the latest stable/12. And also tested with Live CD without installing (https://download.freebsd.org/ftp/snapshots/ISO-IMAGES/12.2/FreeBSD-12.2-ST= ABLE-amd64-20210916-r370608-disc1.iso). The result is same. My determination is the problem in the rule optimizer of pf. You can see the difference with / without ruleset optimization. Without ruleset optimization, $nr macro expanding is true. otherwise false. if the interface used in the rule, have multiple IP addresses that rule optimizer removes lines then the rule number expanding fails. ie: # cat pf.conf pass quick on lo from lo:network to lo:network pass quick all label "ruleNo:$nr" # ifconfig lo0 inet 127.0.0.2/32 alias # ifconfig lo0 lo0: flags=3D8049 metric 0 mtu 16384 options=3D680003 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8 inet 127.0.0.1 netmask 0xff000000 inet 127.0.0.2 netmask 0xffffffff groups: lo extra nd6 options=3D21 # pfctl -f pf.conf # pfctl -sr -vvv @0 pass quick on lo inet6 from ::1 to ::1 flags S/SA keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 = ] [ Inserted: uid 0 pid 3694 State Creations: 0 ] @1 pass quick on lo inet from 127.0.0.0/8 to 127.0.0.0/8 flags S/SA keep st= ate [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 = ] [ Inserted: uid 0 pid 3694 State Creations: 0 ] @2 pass quick all flags S/SA keep state label "ruleNo:5" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 = ] [ Inserted: uid 0 pid 3694 State Creations: 0 ] # pfctl -o none -f /antikor/etc/pf/x.conf # pfctl -sr -vvv @0 pass quick on lo0 inet6 from ::1 to ::1 flags S/SA keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 = ] [ Inserted: uid 0 pid 5959 State Creations: 0 ] @1 pass quick on lo0 inet from 127.0.0.0/8 to 127.0.0.0/8 flags S/SA keep s= tate [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 = ] [ Inserted: uid 0 pid 5959 State Creations: 0 ] @2 pass quick on lo0 inet from 127.0.0.0/8 to 127.0.0.2 flags S/SA keep sta= te [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 = ] [ Inserted: uid 0 pid 5959 State Creations: 0 ] @3 pass quick on lo0 inet from 127.0.0.2 to 127.0.0.0/8 flags S/SA keep sta= te [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 = ] [ Inserted: uid 0 pid 5959 State Creations: 0 ] @4 pass quick on lo0 inet from 127.0.0.2 to 127.0.0.2 flags S/SA keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 = ] [ Inserted: uid 0 pid 5959 State Creations: 0 ] @5 pass quick all flags S/SA keep state label "ruleNo:5" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 = ] [ Inserted: uid 0 pid 5959 State Creations: 0 ] Thank you On Sat, Sep 18, 2021 at 11:10 AM Kristof Provost wrote: > > On 15 Sep 2021, at 9:43, =C3=96zkan KIRIK wrote: > > I'm using FreeBSD stable/12. > > I've tested this situation on stable/12 both 0f97f2a1857a (Jul 26 > > 2021) and ebb3327d09ce (Sep 14) build. > > > > label $nr macro is works as expected for most of rules. But with the > > example below $nr macro was expanded incorrectly. Outputs are below. > > > > If you need, I can open a PR. > > > > # ifconfig -g lo > > lo0 > > > > Experiment #1: The right output should be "ruleNo:2", but system > > expands as "ruleNo:257". > > > I can=E2=80=99t reproduce this, either on main or on stable/12. > > Br, > Kristof