Date: Wed, 22 Sep 2021 12:47:50 +0300 From: =?UTF-8?B?w5Z6a2FuIEtJUklL?= <ozkan.kirik@gmail.com> To: Kristof Provost <kp@freebsd.org> Cc: freebsd-pf@freebsd.org Subject: Re: pf label $nr macro expand reproducable bug Message-ID: <CAAcX-AF_S5WrU%2Bhy6WCzuot33%2Bp_LtP6_7HPTFNMSxoevqM35g@mail.gmail.com> In-Reply-To: <90E32279-76C0-4D81-B209-BE85A181F874@FreeBSD.org> References: <CAAcX-AFmFwyEK4uzK66LoBK2e6W0_-8ZkJju5jAfSYE7wmSjXA@mail.gmail.com> <90E32279-76C0-4D81-B209-BE85A181F874@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Kristof, I tried many things and I found the real problem to reproduce the bug. Tested with the latest stable/12. And also tested with Live CD without installing (https://download.freebsd.org/ftp/snapshots/ISO-IMAGES/12.2/FreeBSD-12.2-ST= ABLE-amd64-20210916-r370608-disc1.iso). The result is same. My determination is the problem in the rule optimizer of pf. You can see the difference with / without ruleset optimization. Without ruleset optimization, $nr macro expanding is true. otherwise false. if the interface used in the rule, have multiple IP addresses that rule optimizer removes lines then the rule number expanding fails. ie: # cat pf.conf pass quick on lo from lo:network to lo:network pass quick all label "ruleNo:$nr" # ifconfig lo0 inet 127.0.0.2/32 alias # ifconfig lo0 lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=3D680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8 inet 127.0.0.1 netmask 0xff000000 inet 127.0.0.2 netmask 0xffffffff groups: lo extra nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL> # pfctl -f pf.conf # pfctl -sr -vvv @0 pass quick on lo inet6 from ::1 to ::1 flags S/SA keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 = ] [ Inserted: uid 0 pid 3694 State Creations: 0 ] @1 pass quick on lo inet from 127.0.0.0/8 to 127.0.0.0/8 flags S/SA keep st= ate [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 = ] [ Inserted: uid 0 pid 3694 State Creations: 0 ] @2 pass quick all flags S/SA keep state label "ruleNo:5" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 = ] [ Inserted: uid 0 pid 3694 State Creations: 0 ] # pfctl -o none -f /antikor/etc/pf/x.conf # pfctl -sr -vvv @0 pass quick on lo0 inet6 from ::1 to ::1 flags S/SA keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 = ] [ Inserted: uid 0 pid 5959 State Creations: 0 ] @1 pass quick on lo0 inet from 127.0.0.0/8 to 127.0.0.0/8 flags S/SA keep s= tate [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 = ] [ Inserted: uid 0 pid 5959 State Creations: 0 ] @2 pass quick on lo0 inet from 127.0.0.0/8 to 127.0.0.2 flags S/SA keep sta= te [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 = ] [ Inserted: uid 0 pid 5959 State Creations: 0 ] @3 pass quick on lo0 inet from 127.0.0.2 to 127.0.0.0/8 flags S/SA keep sta= te [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 = ] [ Inserted: uid 0 pid 5959 State Creations: 0 ] @4 pass quick on lo0 inet from 127.0.0.2 to 127.0.0.2 flags S/SA keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 = ] [ Inserted: uid 0 pid 5959 State Creations: 0 ] @5 pass quick all flags S/SA keep state label "ruleNo:5" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 = ] [ Inserted: uid 0 pid 5959 State Creations: 0 ] Thank you On Sat, Sep 18, 2021 at 11:10 AM Kristof Provost <kp@freebsd.org> wrote: > > On 15 Sep 2021, at 9:43, =C3=96zkan KIRIK wrote: > > I'm using FreeBSD stable/12. > > I've tested this situation on stable/12 both 0f97f2a1857a (Jul 26 > > 2021) and ebb3327d09ce (Sep 14) build. > > > > label $nr macro is works as expected for most of rules. But with the > > example below $nr macro was expanded incorrectly. Outputs are below. > > > > If you need, I can open a PR. > > > > # ifconfig -g lo > > lo0 > > > > Experiment #1: The right output should be "ruleNo:2", but system > > expands as "ruleNo:257". > > > I can=E2=80=99t reproduce this, either on main or on stable/12. > > Br, > Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAAcX-AF_S5WrU%2Bhy6WCzuot33%2Bp_LtP6_7HPTFNMSxoevqM35g>