From owner-dev-commits-src-main@freebsd.org  Sat Apr 24 13:18:50 2021
Return-Path: <owner-dev-commits-src-main@freebsd.org>
Delivered-To: dev-commits-src-main@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 36C685FF8F5;
 Sat, 24 Apr 2021 13:18:50 +0000 (UTC) (envelope-from kp@FreeBSD.org)
Received: from smtp.freebsd.org (smtp.freebsd.org
 [IPv6:2610:1c1:1:606c::24b:4])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4FSBZ216zGz3Bs1;
 Sat, 24 Apr 2021 13:18:50 +0000 (UTC) (envelope-from kp@FreeBSD.org)
Received: from venus.codepro.be (venus.codepro.be [5.9.86.228])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mx1.codepro.be", Issuer "R3" (verified OK))
 (Authenticated sender: kp)
 by smtp.freebsd.org (Postfix) with ESMTPSA id F298D29A4B;
 Sat, 24 Apr 2021 13:18:49 +0000 (UTC) (envelope-from kp@FreeBSD.org)
Received: by venus.codepro.be (Postfix, authenticated sender kp) id C16FF411BC;
 Sat, 24 Apr 2021 15:18:47 +0200 (CEST)
From: "Kristof Provost" <kp@FreeBSD.org>
To: "Florian Smeets" <flo@smeets.xyz>
Cc: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
 dev-commits-src-main@FreeBSD.org
Subject: Re: git: 5c11c5a36558 - main - pfctl: Move to DIOCADDRULENV
Date: Sat, 24 Apr 2021 15:18:47 +0200
X-Mailer: MailMate (1.13.2r5673)
Message-ID: <1B2EBD56-08CE-4854-BB3D-F20314247E1C@FreeBSD.org>
In-Reply-To: <0f7e86c0-3592-0391-7e52-4e6d14bc1eb0@smeets.xyz>
References: <202104100916.13A9GJpP068955@gitrepo.freebsd.org>
 <0f7e86c0-3592-0391-7e52-4e6d14bc1eb0@smeets.xyz>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: quoted-printable
X-BeenThere: dev-commits-src-main@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Commit messages for the main branch of the src repository
 <dev-commits-src-main.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/dev-commits-src-main>, 
 <mailto:dev-commits-src-main-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/dev-commits-src-main/>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Help: <mailto:dev-commits-src-main-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/dev-commits-src-main>, 
 <mailto:dev-commits-src-main-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Apr 2021 13:18:50 -0000

On 24 Apr 2021, at 14:12, Florian Smeets wrote:
> On 10.04.21 11:16, Kristof Provost wrote:
>> The branch main has been updated by kp:
>>
>> URL: =

>> https://cgit.FreeBSD.org/src/commit/?id=3D5c11c5a3655842a176124ef2334f=
cdf830422c8a
>>
>> commit 5c11c5a3655842a176124ef2334fcdf830422c8a
>> Author:     Kristof Provost <kp@FreeBSD.org>
>> AuthorDate: 2021-03-12 17:03:14 +0000
>> Commit:     Kristof Provost <kp@FreeBSD.org>
>> CommitDate: 2021-04-10 09:16:01 +0000
>>
>>      pfctl: Move to DIOCADDRULENV
>>          Start using the new nvlist based ioctl to add rules.
>>          MFC after:      4 weeks
>>      Sponsored by:   Rubicon Communications, LLC ("Netgate")
>>      Differential Revision:  https://reviews.freebsd.org/D29558
>
> Hi Kristof,
>
> this commit breaks my previously working rule set. Using a pfctl from =

> before this commit works with a kernel from yesterdays sources.
>
> This is the smallest rule set I could come up with. It doesn't matter =

> whether I use macros in the list or not. The int_if stuff is only =

> there to not lock myself out of the system.
>
> It looks like lists with more than 5 IPv6 host or 6 v4 hosts don't =

> work.
>
> int_if=3D"em0"
> set skip on $int_if
>
> # not working with pfctl after =

> 5c11c5a3655842a176124ef2334fcdf830422c8a
> # each one of the rules below causes "pfctl: DIOCADDRULENV: Invalid =

> argument" on its own
> pass in proto tcp to { fd01::1, fd01::2, fd01::3, fd01::4, fd01::5, =

> fd01::6 } port ssh
> pass in proto tcp to { 192.168.0.1, 192.168.0.2, 192.168.0.4, =

> 192.168.0.4, 192.168.0.5, 192.168.0.6, 192.168.0.7 } port ssh
>
> # working fine with pfctl after =

> 5c11c5a3655842a176124ef2334fcdf830422c8a
> pass in proto tcp to { fd01::1, fd01::2, fd01::3, fd01::4, fd01::5 } =

> port ssh
> pass in proto tcp to { 192.168.0.1, 192.168.0.2, 192.168.0.4, =

> 192.168.0.4, 192.168.0.5, 192.168.0.6 } port ssh
>
> Another interesting point is the following rules work with -o none, =

> but not with -o basic, which I guess points to list or maybe table =

> handling?
>
> pass in proto tcp to 192.168.0.1 port ssh
> pass in proto tcp to 192.168.0.2 port ssh
> pass in proto tcp to 192.168.0.3 port ssh
> pass in proto tcp to 192.168.0.4 port ssh
> pass in proto tcp to 192.168.0.5 port ssh
> pass in proto tcp to 192.168.0.6 port ssh
> pass in proto tcp to 192.168.0.7 port ssh
>
> I think you should be able to reproduce this easily, if you need =

> anything else, please let me know.
>
Yeah, I see what=E2=80=99s happening here. The optimiser creates an autom=
atic =

table, and the table name is longer than IFNAMSIZ. That=E2=80=99s fine, =

because it=E2=80=99s stored in a union that has tblname, which I sufficie=
ntly =

long for that name. The problem is that the nvlist code unconditionally =

reads the ifname as well, and the automatic name is longer than =

IFNAMSIZ.
It=E2=80=99s a simple matter of (a) cursing the old pf data structures fo=
r =

being awful and (b) only reading ifname (or tblname) for the appropriate =

addr type.

I=E2=80=99m testing a patch now.

Best regards,
Kristof