From owner-dev-commits-src-main@freebsd.org Sat Apr 24 12:12:58 2021 Return-Path: Delivered-To: dev-commits-src-main@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id EF62F5FE312; Sat, 24 Apr 2021 12:12:58 +0000 (UTC) (envelope-from flo@smeets.xyz) Received: from mail-out.smeets.xyz (mail-out.smeets.xyz [88.99.165.53]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4FS96171rqz4sBW; Sat, 24 Apr 2021 12:12:57 +0000 (UTC) (envelope-from flo@smeets.xyz) Received: from mail.smeets.xyz (mail.smeets.xyz [IPv6:2a01:4f8:10a:3543::25:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (Client did not present a certificate) by mail-out.smeets.xyz (Postfix) with ESMTPS id 54FBB82788; Sat, 24 Apr 2021 14:12:50 +0200 (CEST) Received: from amavis.smeets.xyz (amavis.smeets.xyz [IPv6:2a01:4f8:10a:3543::aa:4]) by mail.smeets.xyz (Postfix) with ESMTP id 4A608B05C7; Sat, 24 Apr 2021 14:12:50 +0200 (CEST) X-Virus-Scanned: amavisd-new at smeets.xyz Received: from mail.smeets.xyz ([IPv6:2a01:4f8:10a:3543::25:3]) by amavis.smeets.xyz (amavis.smeets.xyz [IPv6:2a01:4f8:10a:3543::aa:4]) (amavisd-new, port 10025) with ESMTP id KFO0SPRNoDgd; Sat, 24 Apr 2021 14:12:50 +0200 (CEST) Received: from nibbler.home.lan (p2003000633c28c5344b638d1b5fb5e31.dip0.t-ipconnect.de [IPv6:2003:6:33c2:8c53:44b6:38d1:b5fb:5e31]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (Client did not present a certificate) by mail.smeets.xyz (Postfix) with ESMTPSA id B196CB05BF; Sat, 24 Apr 2021 14:12:47 +0200 (CEST) To: Kristof Provost , src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org References: <202104100916.13A9GJpP068955@gitrepo.freebsd.org> From: Florian Smeets Subject: Re: git: 5c11c5a36558 - main - pfctl: Move to DIOCADDRULENV Message-ID: <0f7e86c0-3592-0391-7e52-4e6d14bc1eb0@smeets.xyz> Date: Sat, 24 Apr 2021 14:12:46 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.10.0 MIME-Version: 1.0 In-Reply-To: <202104100916.13A9GJpP068955@gitrepo.freebsd.org> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="EM4iyuFHz25fd1hNjENIlvrZ7QW9LPekL" X-Rspamd-Queue-Id: 4FS96171rqz4sBW X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.10 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; HAS_ATTACHMENT(0.00)[]; DKIM_TRACE(0.00)[smeets.xyz:+]; DMARC_POLICY_ALLOW(-0.50)[smeets.xyz,reject]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[88.99.165.53:from]; ASN(0.00)[asn:24940, ipnet:88.99.0.0/16, country:DE]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:+,4:+,5:~]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; RCVD_COUNT_FIVE(0.00)[5]; FREEFALL_USER(0.00)[flo]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain,application/pgp-keys]; NEURAL_SPAM_SHORT(1.00)[1.000]; R_DKIM_ALLOW(-0.20)[smeets.xyz:s=dkim]; SPAMHAUS_ZRD(0.00)[88.99.165.53:from:127.0.2.255]; MAILMAN_DEST(0.00)[dev-commits-src-all,dev-commits-src-main] X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: dev-commits-src-main@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commit messages for the main branch of the src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Apr 2021 12:12:59 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --EM4iyuFHz25fd1hNjENIlvrZ7QW9LPekL Content-Type: multipart/mixed; boundary="w5rPKyeBzVGkAUFeGPoHy5uz8zY3eaduK"; protected-headers="v1" From: Florian Smeets To: Kristof Provost , src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Message-ID: <0f7e86c0-3592-0391-7e52-4e6d14bc1eb0@smeets.xyz> Subject: Re: git: 5c11c5a36558 - main - pfctl: Move to DIOCADDRULENV References: <202104100916.13A9GJpP068955@gitrepo.freebsd.org> In-Reply-To: <202104100916.13A9GJpP068955@gitrepo.freebsd.org> --w5rPKyeBzVGkAUFeGPoHy5uz8zY3eaduK Content-Type: multipart/mixed; boundary="------------C633B0317775A1E663539072" Content-Language: en-US This is a multi-part message in MIME format. --------------C633B0317775A1E663539072 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable On 10.04.21 11:16, Kristof Provost wrote: > The branch main has been updated by kp: >=20 > URL: https://cgit.FreeBSD.org/src/commit/?id=3D5c11c5a3655842a176124ef2= 334fcdf830422c8a >=20 > commit 5c11c5a3655842a176124ef2334fcdf830422c8a > Author: Kristof Provost > AuthorDate: 2021-03-12 17:03:14 +0000 > Commit: Kristof Provost > CommitDate: 2021-04-10 09:16:01 +0000 >=20 > pfctl: Move to DIOCADDRULENV > =20 > Start using the new nvlist based ioctl to add rules. > =20 > MFC after: 4 weeks > Sponsored by: Rubicon Communications, LLC ("Netgate") > Differential Revision: https://reviews.freebsd.org/D29558 Hi Kristof, this commit breaks my previously working rule set. Using a pfctl from=20 before this commit works with a kernel from yesterdays sources. This is the smallest rule set I could come up with. It doesn't matter=20 whether I use macros in the list or not. The int_if stuff is only there=20 to not lock myself out of the system. It looks like lists with more than 5 IPv6 host or 6 v4 hosts don't work. int_if=3D"em0" set skip on $int_if # not working with pfctl after 5c11c5a3655842a176124ef2334fcdf830422c8a # each one of the rules below causes "pfctl: DIOCADDRULENV: Invalid=20 argument" on its own pass in proto tcp to { fd01::1, fd01::2, fd01::3, fd01::4, fd01::5,=20 fd01::6 } port ssh pass in proto tcp to { 192.168.0.1, 192.168.0.2, 192.168.0.4,=20 192.168.0.4, 192.168.0.5, 192.168.0.6, 192.168.0.7 } port ssh # working fine with pfctl after 5c11c5a3655842a176124ef2334fcdf830422c8a pass in proto tcp to { fd01::1, fd01::2, fd01::3, fd01::4, fd01::5 }=20 port ssh pass in proto tcp to { 192.168.0.1, 192.168.0.2, 192.168.0.4,=20 192.168.0.4, 192.168.0.5, 192.168.0.6 } port ssh Another interesting point is the following rules work with -o none, but=20 not with -o basic, which I guess points to list or maybe table handling? pass in proto tcp to 192.168.0.1 port ssh pass in proto tcp to 192.168.0.2 port ssh pass in proto tcp to 192.168.0.3 port ssh pass in proto tcp to 192.168.0.4 port ssh pass in proto tcp to 192.168.0.5 port ssh pass in proto tcp to 192.168.0.6 port ssh pass in proto tcp to 192.168.0.7 port ssh I think you should be able to reproduce this easily, if you need=20 anything else, please let me know. Thanks, Florian --------------C633B0317775A1E663539072-- --w5rPKyeBzVGkAUFeGPoHy5uz8zY3eaduK-- --EM4iyuFHz25fd1hNjENIlvrZ7QW9LPekL Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wsF5BAABCAAjFiEE7LNouHkIv7aRTXJp71uk3NWp88AFAmCECz4FAwAAAAAACgkQ71uk3NWp88Bg wg/8DRpgTbVDu717PtvQfcLOr2StGyZakheznJ7SsUD9TVSSpL+IKtnhWxKZI9hMJRAPtsu4Rd/8 3efpFKpEb/Xuiug8Wvkn9F6c99Gvt6C8TcByBQrx06AUE0ByarhcABzd1hEp6doyaKapdJTIF5Y5 qR2SsSaPnGU0EP0FYUbbq5hc10QI0SfH/P9jubyPukPiulrvN2nCc0wnlNKxcsa6ynHxHNYbUB6t 3SL0SPuM57JCE238ee0ZFK1FCuDpFDnhqtD3TXKCWmuDeMVRF/6KWv1b3nT7MgToVDd/esBWYcLW PWAGRhymQF+0JA8c9ipbTn68REgun0SRyaryM3nmfWjZ2NTZojVmKT9sKmFkzdKHGuSiumhdlXiP 4D4C3ZwD5rHlh5Db3g2bIsAlO3KWtZ7wKBJfmqiapzlrPqQ+OR4U+wDHi9ZQ37J1PV4sxmRZO80C Qs+MmXLGBnhfRnMqOQP64/8mz9e7p1IIM7N3iFSr+5+tSIbHOTemOZc12L+Gotrwcu1NovBkvrL8 kFz4TisLj5UtLIZjvIi2cI/lVGV272AANHOGCakEBlOmzTpGe2oz+eCabDpYGWnrD/3kUwbf8KEs N8XgIqGU5qkTj0h8Ke64DCFcXxpAP9fIoMh4yL9eGZNhIhy/fYtQJGI3IQbSPJxc53QeN1HjO1Xv hgo= =deOG -----END PGP SIGNATURE----- --EM4iyuFHz25fd1hNjENIlvrZ7QW9LPekL--