git: 5c11c5a36558 - main - pfctl: Move to DIOCADDRULENV

Kristof Provost kp at FreeBSD.org
Sat Apr 24 13:18:50 UTC 2021 

On 24 Apr 2021, at 14:12, Florian Smeets wrote:
> On 10.04.21 11:16, Kristof Provost wrote:
>> The branch main has been updated by kp:
>>
>> URL: 
>> https://cgit.FreeBSD.org/src/commit/?id=5c11c5a3655842a176124ef2334fcdf830422c8a
>>
>> commit 5c11c5a3655842a176124ef2334fcdf830422c8a
>> Author:     Kristof Provost <kp at FreeBSD.org>
>> AuthorDate: 2021-03-12 17:03:14 +0000
>> Commit:     Kristof Provost <kp at FreeBSD.org>
>> CommitDate: 2021-04-10 09:16:01 +0000
>>
>>      pfctl: Move to DIOCADDRULENV
>>          Start using the new nvlist based ioctl to add rules.
>>          MFC after:      4 weeks
>>      Sponsored by:   Rubicon Communications, LLC ("Netgate")
>>      Differential Revision:  https://reviews.freebsd.org/D29558
>
> Hi Kristof,
>
> this commit breaks my previously working rule set. Using a pfctl from 
> before this commit works with a kernel from yesterdays sources.
>
> This is the smallest rule set I could come up with. It doesn't matter 
> whether I use macros in the list or not. The int_if stuff is only 
> there to not lock myself out of the system.
>
> It looks like lists with more than 5 IPv6 host or 6 v4 hosts don't 
> work.
>
> int_if="em0"
> set skip on $int_if
>
> # not working with pfctl after 
> 5c11c5a3655842a176124ef2334fcdf830422c8a
> # each one of the rules below causes "pfctl: DIOCADDRULENV: Invalid 
> argument" on its own
> pass in proto tcp to { fd01::1, fd01::2, fd01::3, fd01::4, fd01::5, 
> fd01::6 } port ssh
> pass in proto tcp to { 192.168.0.1, 192.168.0.2, 192.168.0.4, 
> 192.168.0.4, 192.168.0.5, 192.168.0.6, 192.168.0.7 } port ssh
>
> # working fine with pfctl after 
> 5c11c5a3655842a176124ef2334fcdf830422c8a
> pass in proto tcp to { fd01::1, fd01::2, fd01::3, fd01::4, fd01::5 } 
> port ssh
> pass in proto tcp to { 192.168.0.1, 192.168.0.2, 192.168.0.4, 
> 192.168.0.4, 192.168.0.5, 192.168.0.6 } port ssh
>
> Another interesting point is the following rules work with -o none, 
> but not with -o basic, which I guess points to list or maybe table 
> handling?
>
> pass in proto tcp to 192.168.0.1 port ssh
> pass in proto tcp to 192.168.0.2 port ssh
> pass in proto tcp to 192.168.0.3 port ssh
> pass in proto tcp to 192.168.0.4 port ssh
> pass in proto tcp to 192.168.0.5 port ssh
> pass in proto tcp to 192.168.0.6 port ssh
> pass in proto tcp to 192.168.0.7 port ssh
>
> I think you should be able to reproduce this easily, if you need 
> anything else, please let me know.
>
Yeah, I see what’s happening here. The optimiser creates an automatic 
table, and the table name is longer than IFNAMSIZ. That’s fine, 
because it’s stored in a union that has tblname, which I sufficiently 
long for that name. The problem is that the nvlist code unconditionally 
reads the ifname as well, and the automatic name is longer than 
IFNAMSIZ.
It’s a simple matter of (a) cursing the old pf data structures for 
being awful and (b) only reading ifname (or tblname) for the appropriate 
addr type.

I’m testing a patch now.

Best regards,
Kristof

More information about the dev-commits-src-all mailing list