From nobody Mon Sep 27 19:32:23 2021 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4BA6817DFDB2 for ; Mon, 27 Sep 2021 19:32:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HJCT31ZV5z4f09 for ; Mon, 27 Sep 2021 19:32:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 180B116BBC for ; Mon, 27 Sep 2021 19:32:23 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 18RJWN4w083767 for ; Mon, 27 Sep 2021 19:32:23 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 18RJWNto083766 for pf@FreeBSD.org; Mon, 27 Sep 2021 19:32:23 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 258751] race between pfi_kkif_update() and if_addgroup() Date: Mon, 27 Sep 2021 19:32:23 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: markj@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: assigned_to Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D258751 Mark Johnston changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@FreeBSD.org |pf@FreeBSD.org --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Wed Sep 29 15:19:59 2021 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 6770C17D7FDF for ; Wed, 29 Sep 2021 15:19:59 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HKKmv27WBz3tmJ for ; Wed, 29 Sep 2021 15:19:59 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 25C361A55D for ; Wed, 29 Sep 2021 15:19:59 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 18TFJxfg008015 for ; Wed, 29 Sep 2021 15:19:59 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 18TFJxni008014 for pf@FreeBSD.org; Wed, 29 Sep 2021 15:19:59 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 258751] race between pfi_kkif_update() and if_addgroup() Date: Wed, 29 Sep 2021 15:19:59 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: kp@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D258751 Kristof Provost changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kp@freebsd.org --- Comment #1 from Kristof Provost --- That looks like a plausible issue, yes. Arguably we should be running the event handler under the IFNET_WLOCK to en= sure this sort of order reversal doesn't happen. I'm sure that'd have all sorts = of other problems though. Initialising ifg_pf_kif to NULL and skipping such groups in pfi_kkif_update= () would at least avoid the panic, but I suspect it'd leave pf subtly out of s= ync with the real interface state (and address assignments), which is going to cause very subtle and impossible to debug problems of its own. We'd probably avoid those if we called pfi_kkif_update() from pfi_kkif_attach(), but the = last time I touched if groups for pf it took a year for the fallout to settle. --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Thu Sep 30 12:22:06 2021 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 50CF517E5B84 for ; Thu, 30 Sep 2021 12:22:07 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HKsnC1hXzz3LYr for ; Thu, 30 Sep 2021 12:22:07 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 1A8E83C43 for ; Thu, 30 Sep 2021 12:22:07 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 18UCM7ja075190 for ; Thu, 30 Sep 2021 12:22:07 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 18UCM7MW075189 for pf@FreeBSD.org; Thu, 30 Sep 2021 12:22:07 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 258601] kernel panic/pagefault caused by pfctl -s info Date: Thu, 30 Sep 2021 12:22:06 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: panic X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: commit-hook@FreeBSD.org X-Bugzilla-Status: Closed X-Bugzilla-Resolution: FIXED X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D258601 --- Comment #13 from commit-hook@FreeBSD.org --- A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3D3c9253c2f6d1f076ef35a5538b207a5cc= 866480f commit 3c9253c2f6d1f076ef35a5538b207a5cc866480f Author: Kristof Provost AuthorDate: 2021-09-23 08:39:49 +0000 Commit: Kristof Provost CommitDate: 2021-09-30 11:51:32 +0000 pf: fix pagefault in pf_getstatus() We can't copyout() while holding a lock, in case it triggers a page fault. Release the lock before copyout, which is safe because we've already copied all the data into the nvlist. PR: 258601 Reviewed by: mjg MFC after: 1 week Sponsored by: Modirum MDPay Differential Revision: https://reviews.freebsd.org/D32076 (cherry picked from commit cb13059663e455b3fc69c293dadec53c164490dc) sys/netpfil/pf/pf_ioctl.c | 3 +++ 1 file changed, 3 insertions(+) --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Thu Sep 30 12:22:08 2021 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 1B8A817E5956 for ; Thu, 30 Sep 2021 12:22:08 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HKsnC6xsyz3LYs for ; Thu, 30 Sep 2021 12:22:07 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id CF7F03D34 for ; Thu, 30 Sep 2021 12:22:07 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 18UCM7qc075203 for ; Thu, 30 Sep 2021 12:22:07 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 18UCM7nf075202 for pf@FreeBSD.org; Thu, 30 Sep 2021 12:22:07 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: pf@FreeBSD.org Subject: [Bug 258601] kernel panic/pagefault caused by pfctl -s info Date: Thu, 30 Sep 2021 12:22:08 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: panic X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: commit-hook@FreeBSD.org X-Bugzilla-Status: Closed X-Bugzilla-Resolution: FIXED X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D258601 --- Comment #14 from commit-hook@FreeBSD.org --- A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3D9419d273e4718ee8c768865cd73a3b907= f365d8d commit 9419d273e4718ee8c768865cd73a3b907f365d8d Author: Kristof Provost AuthorDate: 2021-09-23 08:39:49 +0000 Commit: Kristof Provost CommitDate: 2021-09-30 07:54:44 +0000 pf: fix pagefault in pf_getstatus() We can't copyout() while holding a lock, in case it triggers a page fault. Release the lock before copyout, which is safe because we've already copied all the data into the nvlist. PR: 258601 Reviewed by: mjg MFC after: 1 week Sponsored by: Modirum MDPay Differential Revision: https://reviews.freebsd.org/D32076 (cherry picked from commit cb13059663e455b3fc69c293dadec53c164490dc) sys/netpfil/pf/pf_ioctl.c | 3 +++ 1 file changed, 3 insertions(+) --=20 You are receiving this mail because: You are the assignee for the bug.= From nobody Sat Oct 2 16:03:31 2021 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 6F8C617E7F3D for ; Sat, 2 Oct 2021 16:03:35 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HMBbq2cy9z4gqN; Sat, 2 Oct 2021 16:03:35 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.codepro.be", Issuer "R3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 0C7C12E917; Sat, 2 Oct 2021 16:03:35 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id CDE9329B21; Sat, 2 Oct 2021 18:03:32 +0200 (CEST) From: Kristof Provost To: =?utf-8?q?=C3=96zkan?= KIRIK Cc: freebsd-pf@freebsd.org Subject: Re: pf label $nr macro expand reproducable bug Date: Sat, 02 Oct 2021 18:03:31 +0200 X-Mailer: MailMate (1.14r5818) Message-ID: <424C24F1-D9E2-494E-97C1-6ADC515869D0@FreeBSD.org> In-Reply-To: References: <90E32279-76C0-4D81-B209-BE85A181F874@FreeBSD.org> List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_MailMate_66B40783-9029-42AE-B58D-DC806AF51760_=" X-Spam: Yes X-ThisMailContainsUnwantedMimeParts: Y --=_MailMate_66B40783-9029-42AE-B58D-DC806AF51760_= Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable On 22 Sep 2021, at 11:47, =C3=96zkan KIRIK wrote: > Hi Kristof, > > I tried many things and I found the real problem to reproduce the bug. > Tested with the latest stable/12. > And also tested with Live CD without installing > (https://download.freebsd.org/ftp/snapshots/ISO-IMAGES/12.2/FreeBSD-12.= 2-STABLE-amd64-20210916-r370608-disc1.iso). > The result is same. > > My determination is the problem in the rule optimizer of pf. You can > see the difference with / without ruleset optimization. > Without ruleset optimization, $nr macro expanding is true. otherwise = > false. > > if the interface used in the rule, have multiple IP addresses that > rule optimizer removes lines then the rule number expanding fails. ie: > Yeah, that makes sense. It looks like the problem is that we expand the = $nr tag before the ruleset optimisation, so we end up using the wrong = rule number. As a first attempt this also seems to work: diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 89d5f330da47..eb38fd9e344e 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -330,14 +330,12 @@ int filter_consistent(struct = pfctl_rule *, int); int nat_consistent(struct pfctl_rule *); int rdr_consistent(struct pfctl_rule *); int process_tabledef(char *, struct table_opts *); -void expand_label_str(char *, size_t, const char *, const = char *); void expand_label_if(const char *, char *, size_t, const = char *); void expand_label_addr(const char *, char *, size_t, = u_int8_t, struct node_host *); void expand_label_port(const char *, char *, size_t, struct node_port *); void expand_label_proto(const char *, char *, size_t, = u_int8_t); -void expand_label_nr(const char *, char *, size_t); void expand_label(char *, size_t, const char *, u_int8_t, struct node_host *, struct node_port *, struct = node_host *, struct node_port *, u_int8_t); @@ -5125,17 +5123,6 @@ expand_label_proto(const char *name, char = *label, size_t len, u_int8_t proto) } } -void -expand_label_nr(const char *name, char *label, size_t len) -{ - char n[11]; - - if (strstr(label, name) !=3D NULL) { - snprintf(n, sizeof(n), "%u", pf->anchor->match); - expand_label_str(label, len, name, n); - } -} - void expand_label(char *label, size_t len, const char *ifname, sa_family_t = af, struct node_host *src_host, struct node_port *src_port, @@ -5148,7 +5135,6 @@ expand_label(char *label, size_t len, const char = *ifname, sa_family_t af, expand_label_port("$srcport", label, len, src_port); expand_label_port("$dstport", label, len, dst_port); expand_label_proto("$proto", label, len, proto); - expand_label_nr("$nr", label, len); } int diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index d7bde0012e9b..749d73705f45 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -1528,6 +1528,15 @@ pfctl_load_ruleset(struct pfctl *pf, char *path, = struct pfctl_ruleset *rs, while ((r =3D TAILQ_FIRST(rs->rules[rs_num].active.ptr)) !=3D NU= LL) = { TAILQ_REMOVE(rs->rules[rs_num].active.ptr, r, entries); + char n[11]; + snprintf(n, sizeof(n), "%u", r->nr); + for (int i =3D 0; i < PF_RULE_MAX_LABEL_COUNT; i++) { + expand_label_str(r->label[i], = PF_RULE_LABEL_SIZE, + "$nr", n); + } + expand_label_str(r->tagname, PF_TAG_NAME_SIZE, "$nr", = n); + expand_label_str(r->match_tagname, PF_TAG_NAME_SIZE, = "$nr", n); + if ((error =3D pfctl_load_rule(pf, path, r, depth))) goto error; if (r->anchor) { diff --git a/sbin/pfctl/pfctl.h b/sbin/pfctl/pfctl.h index 80ef184fa90f..d725341d1cd7 100644 --- a/sbin/pfctl/pfctl.h +++ b/sbin/pfctl/pfctl.h @@ -139,5 +139,6 @@ struct pfctl_ruleset *pf_find_ruleset(const = char *); struct pfctl_ruleset *pf_find_or_create_ruleset(const char *); const char *pfctl_proto2name(int); +void expand_label_str(char *, size_t, const char *, const char *); #endif /* _PFCTL_H_ */ I think I want to restructure that a bit, but this should already work. Best regards, Kristof --=_MailMate_66B40783-9029-42AE-B58D-DC806AF51760_=-- From nobody Sat Oct 2 17:31:37 2021 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 795C717EE33B for ; Sat, 2 Oct 2021 17:31:54 +0000 (UTC) (envelope-from ozkan.kirik@gmail.com) Received: from mail-vs1-xe34.google.com (mail-vs1-xe34.google.com [IPv6:2607:f8b0:4864:20::e34]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HMDYk2hLyz4mVg; Sat, 2 Oct 2021 17:31:54 +0000 (UTC) (envelope-from ozkan.kirik@gmail.com) Received: by mail-vs1-xe34.google.com with SMTP id o124so14986689vsc.6; Sat, 02 Oct 2021 10:31:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=2myFgfvl1aJD1rhY3gadO2cAF/8agtjLtd8FgWrLQ+M=; b=mAS2+xdo+d6KcIFKJMOFkNIc/XMbYQtFwZEnj7NDLwYSN1NsVKoutaMMW9wwVHIKLh GWy84z9wJGAm4s4ohhRop4vBy83Dc7UmSGzBwh+FuenEzb3bnXhJAcexx/XYD/J3OP0C 6Swb1rqGWHt2piVGXOxrh4H5g68HlXz2nesvRolBQf7SXPFNSHd+aLNmSJ9UJeaRdVN+ q/mh+j8DIlDOM1NXzAeGu3PQNYyNetBeIz5SJfu5UfABnrFZZ8u3CXUDvnZJj1FFfZ13 zq8TFRjc6/35owHPm5InBtXeJugutFJ8Pf85HGQQL44H8xiqZ7XPe2JECGmLFIg3KTZh 01Jg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=2myFgfvl1aJD1rhY3gadO2cAF/8agtjLtd8FgWrLQ+M=; b=O8u35OBW5n7rwdY/26uKmZLl2aqPQAondvECrTeqgesm3hFhuuRaB5r5UXTokKqCpN EXhkwfhUeIgW6SUo+US/WyayKllkas257cdsbQ+BxL896lRnC54OPEMObbiBkYMkknnz AxNY/zMOSS2og9Wpx3BVwWd0Bemo44F0myiIDT5RQ3bDVjTScIsu6m+6BwFzNbFULSP/ 7+D4WqTT6G6xAvmceqQV9MCNHrBrR/J9ponhIqR3paKNRlUId4cH+ekZdH5M0PpXd9Kn 3YdlaqpHOmIWOFkvQ+h5u6ZfIrOdCNDn7pVMXMHbCneeJO5j2RuDyCvYZ1UvLUbQ2Gie PC7Q== X-Gm-Message-State: AOAM5318PbLakia9NaZm/IMYy8zp9FAFhyyUz53pCv3JyYJdgP+YWaWY zJeDxVCrz4pZ86YXiYW77PkCoRqVHIwL46REcoeTVHVS/Co= X-Google-Smtp-Source: ABdhPJzPMgz5OCO/U+NtjPFU8rijcvdMY6t/wjyigXV1xljF1VogSoLwESTZ5rhwqBd6OBrlZVLClToWV+3B4HqoUW8= X-Received: by 2002:a05:6102:317a:: with SMTP id l26mr8737323vsm.6.1633195908267; Sat, 02 Oct 2021 10:31:48 -0700 (PDT) List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 References: <90E32279-76C0-4D81-B209-BE85A181F874@FreeBSD.org> <424C24F1-D9E2-494E-97C1-6ADC515869D0@FreeBSD.org> In-Reply-To: <424C24F1-D9E2-494E-97C1-6ADC515869D0@FreeBSD.org> From: =?UTF-8?B?w5Z6a2FuIEtJUklL?= Date: Sat, 2 Oct 2021 20:31:37 +0300 Message-ID: Subject: Re: pf label $nr macro expand reproducable bug To: Kristof Provost Cc: freebsd-pf@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4HMDYk2hLyz4mVg X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; TAGGED_FROM(0.00)[]; REPLY(-4.00)[] X-ThisMailContainsUnwantedMimeParts: N Thank you! I'll try it. Have a nice day, Best regards, Ozkan On Sat, Oct 2, 2021 at 7:03 PM Kristof Provost wrote: > > On 22 Sep 2021, at 11:47, =C3=96zkan KIRIK wrote: > > Hi Kristof, > > I tried many things and I found the real problem to reproduce the bug. > Tested with the latest stable/12. > And also tested with Live CD without installing > (https://download.freebsd.org/ftp/snapshots/ISO-IMAGES/12.2/FreeBSD-12.2-= STABLE-amd64-20210916-r370608-disc1.iso). > The result is same. > > My determination is the problem in the rule optimizer of pf. You can > see the difference with / without ruleset optimization. > Without ruleset optimization, $nr macro expanding is true. otherwise fals= e. > > if the interface used in the rule, have multiple IP addresses that > rule optimizer removes lines then the rule number expanding fails. ie: > > > Yeah, that makes sense. It looks like the problem is that we expand the $= nr tag before the ruleset optimisation, so we end up using the wrong rule n= umber. > > As a first attempt this also seems to work: > > diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y > index 89d5f330da47..eb38fd9e344e 100644 > --- a/sbin/pfctl/parse.y > +++ b/sbin/pfctl/parse.y > @@ -330,14 +330,12 @@ int filter_consistent(struct pfctl_r= ule *, int); > int nat_consistent(struct pfctl_rule *); > int rdr_consistent(struct pfctl_rule *); > int process_tabledef(char *, struct table_opts *); > -void expand_label_str(char *, size_t, const char *, const cha= r *); > void expand_label_if(const char *, char *, size_t, const char= *); > void expand_label_addr(const char *, char *, size_t, u_int8_t= , > struct node_host *); > void expand_label_port(const char *, char *, size_t, > struct node_port *); > void expand_label_proto(const char *, char *, size_t, u_int8_= t); > -void expand_label_nr(const char *, char *, size_t); > void expand_label(char *, size_t, const char *, u_int8_t, > struct node_host *, struct node_port *, struct node_h= ost *, > struct node_port *, u_int8_t); > @@ -5125,17 +5123,6 @@ expand_label_proto(const char *name, char *label, = size_t len, u_int8_t proto) > } > } > > -void > -expand_label_nr(const char *name, char *label, size_t len) > -{ > - char n[11]; > - > - if (strstr(label, name) !=3D NULL) { > - snprintf(n, sizeof(n), "%u", pf->anchor->match); > - expand_label_str(label, len, name, n); > - } > -} > - > void > expand_label(char *label, size_t len, const char *ifname, sa_family_t af= , > struct node_host *src_host, struct node_port *src_port, > @@ -5148,7 +5135,6 @@ expand_label(char *label, size_t len, const char *i= fname, sa_family_t af, > expand_label_port("$srcport", label, len, src_port); > expand_label_port("$dstport", label, len, dst_port); > expand_label_proto("$proto", label, len, proto); > - expand_label_nr("$nr", label, len); > } > > int > diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c > index d7bde0012e9b..749d73705f45 100644 > --- a/sbin/pfctl/pfctl.c > +++ b/sbin/pfctl/pfctl.c > @@ -1528,6 +1528,15 @@ pfctl_load_ruleset(struct pfctl *pf, char *path, s= truct pfctl_ruleset *rs, > > while ((r =3D TAILQ_FIRST(rs->rules[rs_num].active.ptr)) !=3D NUL= L) { > TAILQ_REMOVE(rs->rules[rs_num].active.ptr, r, entries); > + char n[11]; > + snprintf(n, sizeof(n), "%u", r->nr); > + for (int i =3D 0; i < PF_RULE_MAX_LABEL_COUNT; i++) { > + expand_label_str(r->label[i], PF_RULE_LABEL_SIZE, > + "$nr", n); > + } > + expand_label_str(r->tagname, PF_TAG_NAME_SIZE, "$nr", n); > + expand_label_str(r->match_tagname, PF_TAG_NAME_SIZE, "$nr= ", n); > + > if ((error =3D pfctl_load_rule(pf, path, r, depth))) > goto error; > if (r->anchor) { > diff --git a/sbin/pfctl/pfctl.h b/sbin/pfctl/pfctl.h > index 80ef184fa90f..d725341d1cd7 100644 > --- a/sbin/pfctl/pfctl.h > +++ b/sbin/pfctl/pfctl.h > @@ -139,5 +139,6 @@ struct pfctl_ruleset *pf_find_ruleset(const ch= ar *); > struct pfctl_ruleset *pf_find_or_create_ruleset(const char *); > > const char *pfctl_proto2name(int); > +void expand_label_str(char *, size_t, const char *, const char *); > > #endif /* _PFCTL_H_ */ > > I think I want to restructure that a bit, but this should already work. > > Best regards, > Kristof From nobody Sun Oct 3 21:00:37 2021 X-Original-To: pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 0C3AE17C55D0 for ; Sun, 3 Oct 2021 21:00:38 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HMx854vQVz4WkD for ; Sun, 3 Oct 2021 21:00:37 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 313F54F47 for ; Sun, 3 Oct 2021 21:00:37 +0000 (UTC) (envelope-from bugzilla-noreply@FreeBSD.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 193L0bHn041375 for ; Sun, 3 Oct 2021 21:00:37 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 193L0bm5041374 for pf@FreeBSD.org; Sun, 3 Oct 2021 21:00:37 GMT (envelope-from bugzilla-noreply@FreeBSD.org) Message-Id: <202110032100.193L0bm5041374@kenobi.freebsd.org> X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@FreeBSD.org using -f From: bugzilla-noreply@FreeBSD.org To: pf@FreeBSD.org Subject: Problem reports for pf@FreeBSD.org that need special attention Date: Sun, 3 Oct 2021 21:00:37 +0000 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="16332948370.05CCBBDFb.40234" Content-Transfer-Encoding: 7bit X-ThisMailContainsUnwantedMimeParts: Y --16332948370.05CCBBDFb.40234 Date: Sun, 3 Oct 2021 21:00:37 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" To view an individual PR, use: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=(Bug Id). The following is a listing of current problems submitted by FreeBSD users, which need special attention. These represent problem reports covering all versions including experimental development code and obsolete releases. Status | Bug Id | Description ------------+-----------+--------------------------------------------------- Open | 237973 | pf: implement egress keyword to simplify rules ac 1 problems total for which you should take action. --16332948370.05CCBBDFb.40234--