From owner-dev-commits-src-branches@freebsd.org  Mon May 10 19:49:48 2021
Return-Path: <owner-dev-commits-src-branches@freebsd.org>
Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8F378641A38;
 Mon, 10 May 2021 19:49:48 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4FfBTm3fNVz4T7Y;
 Mon, 10 May 2021 19:49:48 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:5])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 7008527D3;
 Mon, 10 May 2021 19:49:48 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
 by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 14AJnm3N006337;
 Mon, 10 May 2021 19:49:48 GMT (envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
 by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 14AJnmiu006336;
 Mon, 10 May 2021 19:49:48 GMT (envelope-from git)
Date: Mon, 10 May 2021 19:49:48 GMT
Message-Id: <202105101949.14AJnmiu006336@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
 dev-commits-src-branches@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: b8b6ee3554eb - stable/13 - pf: Fix parsing of long table names
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: b8b6ee3554eb331e215db13d3feac34df20a8f39
Auto-Submitted: auto-generated
X-BeenThere: dev-commits-src-branches@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Commits to the stable branches of the FreeBSD src repository
 <dev-commits-src-branches.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/dev-commits-src-branches>, 
 <mailto:dev-commits-src-branches-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/dev-commits-src-branches/>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Help: <mailto:dev-commits-src-branches-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/dev-commits-src-branches>, 
 <mailto:dev-commits-src-branches-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 10 May 2021 19:49:48 -0000

The branch stable/13 has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=b8b6ee3554eb331e215db13d3feac34df20a8f39

commit b8b6ee3554eb331e215db13d3feac34df20a8f39
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2021-04-24 13:55:24 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2021-05-10 19:45:56 +0000

    pf: Fix parsing of long table names
    
    When parsing the nvlist for a struct pf_addr_wrap we unconditionally
    tried to parse "ifname". This broke for PF_ADDR_TABLE when the table
    name was longer than IFNAMSIZ. PF_TABLE_NAME_SIZE is longer than
    IFNAMSIZ, so this is a valid configuration.
    
    Only parse (or return) ifname or tblname for the corresponding
    pf_addr_wrap type.
    
    This manifested as a failure to set rules such as these, where the pfctl
    optimiser generated an automatic table:
    
            pass in proto tcp to 192.168.0.1 port ssh
            pass in proto tcp to 192.168.0.2 port ssh
            pass in proto tcp to 192.168.0.3 port ssh
            pass in proto tcp to 192.168.0.4 port ssh
            pass in proto tcp to 192.168.0.5 port ssh
            pass in proto tcp to 192.168.0.6 port ssh
            pass in proto tcp to 192.168.0.7 port ssh
    
    Reported by:    Florian Smeets
    Tested by:      Florian Smeets
    Reviewed by:    donner
    X-MFC-With:     5c11c5a3655842a176124ef2334fcdf830422c8a
    MFC after:      2 weeks
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D29962
    
    (cherry picked from commit 402dfb0a8d2c6417cb9bff4460ef250a42b0aa05)
---
 lib/libpfctl/libpfctl.c   | 15 ++++++++++-----
 sys/netpfil/pf/pf_ioctl.c | 16 ++++++++++------
 2 files changed, 20 insertions(+), 11 deletions(-)

diff --git a/lib/libpfctl/libpfctl.c b/lib/libpfctl/libpfctl.c
index 6d5397cb64b2..69c51ec6c897 100644
--- a/lib/libpfctl/libpfctl.c
+++ b/lib/libpfctl/libpfctl.c
@@ -148,8 +148,10 @@ pfctl_nv_add_addr_wrap(nvlist_t *nvparent, const char *name,
 
 	nvlist_add_number(nvl, "type", addr->type);
 	nvlist_add_number(nvl, "iflags", addr->iflags);
-	nvlist_add_string(nvl, "ifname", addr->v.ifname);
-	nvlist_add_string(nvl, "tblname", addr->v.tblname);
+	if (addr->type == PF_ADDR_DYNIFTL)
+		nvlist_add_string(nvl, "ifname", addr->v.ifname);
+	if (addr->type == PF_ADDR_TABLE)
+		nvlist_add_string(nvl, "tblname", addr->v.tblname);
 	pfctl_nv_add_addr(nvl, "addr", &addr->v.a.addr);
 	pfctl_nv_add_addr(nvl, "mask", &addr->v.a.mask);
 
@@ -161,9 +163,12 @@ pf_nvaddr_wrap_to_addr_wrap(const nvlist_t *nvl, struct pf_addr_wrap *addr)
 {
 	addr->type = nvlist_get_number(nvl, "type");
 	addr->iflags = nvlist_get_number(nvl, "iflags");
-	strlcpy(addr->v.ifname, nvlist_get_string(nvl, "ifname"), IFNAMSIZ);
-	strlcpy(addr->v.tblname, nvlist_get_string(nvl, "tblname"),
-	    PF_TABLE_NAME_SIZE);
+	if (addr->type == PF_ADDR_DYNIFTL)
+		strlcpy(addr->v.ifname, nvlist_get_string(nvl, "ifname"),
+		    IFNAMSIZ);
+	if (addr->type == PF_ADDR_TABLE)
+		strlcpy(addr->v.tblname, nvlist_get_string(nvl, "tblname"),
+		    PF_TABLE_NAME_SIZE);
 
 	pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "addr"), &addr->v.a.addr);
 	pf_nvaddr_to_addr(nvlist_get_nvlist(nvl, "mask"), &addr->v.a.mask);
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index 522f6a6a8f54..40a68a65bfd5 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -1703,10 +1703,12 @@ pf_nvaddr_wrap_to_addr_wrap(const nvlist_t *nvl, struct pf_addr_wrap *addr)
 
 	PFNV_CHK(pf_nvuint8(nvl, "type", &addr->type));
 	PFNV_CHK(pf_nvuint8(nvl, "iflags", &addr->iflags));
-	PFNV_CHK(pf_nvstring(nvl, "ifname", addr->v.ifname,
-	    sizeof(addr->v.ifname)));
-	PFNV_CHK(pf_nvstring(nvl, "tblname", addr->v.tblname,
-	    sizeof(addr->v.tblname)));
+	if (addr->type == PF_ADDR_DYNIFTL)
+		PFNV_CHK(pf_nvstring(nvl, "ifname", addr->v.ifname,
+		    sizeof(addr->v.ifname)));
+	if (addr->type == PF_ADDR_TABLE)
+		PFNV_CHK(pf_nvstring(nvl, "tblname", addr->v.tblname,
+		    sizeof(addr->v.tblname)));
 
 	if (! nvlist_exists_nvlist(nvl, "addr"))
 		return (EINVAL);
@@ -1746,8 +1748,10 @@ pf_addr_wrap_to_nvaddr_wrap(const struct pf_addr_wrap *addr)
 
 	nvlist_add_number(nvl, "type", addr->type);
 	nvlist_add_number(nvl, "iflags", addr->iflags);
-	nvlist_add_string(nvl, "ifname", addr->v.ifname);
-	nvlist_add_string(nvl, "tblname", addr->v.tblname);
+	if (addr->type == PF_ADDR_DYNIFTL)
+		nvlist_add_string(nvl, "ifname", addr->v.ifname);
+	if (addr->type == PF_ADDR_TABLE)
+		nvlist_add_string(nvl, "tblname", addr->v.tblname);
 
 	tmp = pf_addr_to_nvaddr(&addr->v.a.addr);
 	if (tmp == NULL)