Date: Sat, 24 Apr 2021 14:12:46 +0200 From: Florian Smeets <flo@smeets.xyz> To: Kristof Provost <kp@FreeBSD.org>, src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: Re: git: 5c11c5a36558 - main - pfctl: Move to DIOCADDRULENV Message-ID: <0f7e86c0-3592-0391-7e52-4e6d14bc1eb0@smeets.xyz> In-Reply-To: <202104100916.13A9GJpP068955@gitrepo.freebsd.org> References: <202104100916.13A9GJpP068955@gitrepo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --EM4iyuFHz25fd1hNjENIlvrZ7QW9LPekL Content-Type: multipart/mixed; boundary="w5rPKyeBzVGkAUFeGPoHy5uz8zY3eaduK"; protected-headers="v1" From: Florian Smeets <flo@smeets.xyz> To: Kristof Provost <kp@FreeBSD.org>, src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Message-ID: <0f7e86c0-3592-0391-7e52-4e6d14bc1eb0@smeets.xyz> Subject: Re: git: 5c11c5a36558 - main - pfctl: Move to DIOCADDRULENV References: <202104100916.13A9GJpP068955@gitrepo.freebsd.org> In-Reply-To: <202104100916.13A9GJpP068955@gitrepo.freebsd.org> --w5rPKyeBzVGkAUFeGPoHy5uz8zY3eaduK Content-Type: multipart/mixed; boundary="------------C633B0317775A1E663539072" Content-Language: en-US This is a multi-part message in MIME format. --------------C633B0317775A1E663539072 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable On 10.04.21 11:16, Kristof Provost wrote: > The branch main has been updated by kp: >=20 > URL: https://cgit.FreeBSD.org/src/commit/?id=3D5c11c5a3655842a176124ef2= 334fcdf830422c8a >=20 > commit 5c11c5a3655842a176124ef2334fcdf830422c8a > Author: Kristof Provost <kp@FreeBSD.org> > AuthorDate: 2021-03-12 17:03:14 +0000 > Commit: Kristof Provost <kp@FreeBSD.org> > CommitDate: 2021-04-10 09:16:01 +0000 >=20 > pfctl: Move to DIOCADDRULENV > =20 > Start using the new nvlist based ioctl to add rules. > =20 > MFC after: 4 weeks > Sponsored by: Rubicon Communications, LLC ("Netgate") > Differential Revision: https://reviews.freebsd.org/D29558 Hi Kristof, this commit breaks my previously working rule set. Using a pfctl from=20 before this commit works with a kernel from yesterdays sources. This is the smallest rule set I could come up with. It doesn't matter=20 whether I use macros in the list or not. The int_if stuff is only there=20 to not lock myself out of the system. It looks like lists with more than 5 IPv6 host or 6 v4 hosts don't work. int_if=3D"em0" set skip on $int_if # not working with pfctl after 5c11c5a3655842a176124ef2334fcdf830422c8a # each one of the rules below causes "pfctl: DIOCADDRULENV: Invalid=20 argument" on its own pass in proto tcp to { fd01::1, fd01::2, fd01::3, fd01::4, fd01::5,=20 fd01::6 } port ssh pass in proto tcp to { 192.168.0.1, 192.168.0.2, 192.168.0.4,=20 192.168.0.4, 192.168.0.5, 192.168.0.6, 192.168.0.7 } port ssh # working fine with pfctl after 5c11c5a3655842a176124ef2334fcdf830422c8a pass in proto tcp to { fd01::1, fd01::2, fd01::3, fd01::4, fd01::5 }=20 port ssh pass in proto tcp to { 192.168.0.1, 192.168.0.2, 192.168.0.4,=20 192.168.0.4, 192.168.0.5, 192.168.0.6 } port ssh Another interesting point is the following rules work with -o none, but=20 not with -o basic, which I guess points to list or maybe table handling? pass in proto tcp to 192.168.0.1 port ssh pass in proto tcp to 192.168.0.2 port ssh pass in proto tcp to 192.168.0.3 port ssh pass in proto tcp to 192.168.0.4 port ssh pass in proto tcp to 192.168.0.5 port ssh pass in proto tcp to 192.168.0.6 port ssh pass in proto tcp to 192.168.0.7 port ssh I think you should be able to reproduce this easily, if you need=20 anything else, please let me know. Thanks, Florian --------------C633B0317775A1E663539072-- --w5rPKyeBzVGkAUFeGPoHy5uz8zY3eaduK-- --EM4iyuFHz25fd1hNjENIlvrZ7QW9LPekL Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wsF5BAABCAAjFiEE7LNouHkIv7aRTXJp71uk3NWp88AFAmCECz4FAwAAAAAACgkQ71uk3NWp88Bg wg/8DRpgTbVDu717PtvQfcLOr2StGyZakheznJ7SsUD9TVSSpL+IKtnhWxKZI9hMJRAPtsu4Rd/8 3efpFKpEb/Xuiug8Wvkn9F6c99Gvt6C8TcByBQrx06AUE0ByarhcABzd1hEp6doyaKapdJTIF5Y5 qR2SsSaPnGU0EP0FYUbbq5hc10QI0SfH/P9jubyPukPiulrvN2nCc0wnlNKxcsa6ynHxHNYbUB6t 3SL0SPuM57JCE238ee0ZFK1FCuDpFDnhqtD3TXKCWmuDeMVRF/6KWv1b3nT7MgToVDd/esBWYcLW PWAGRhymQF+0JA8c9ipbTn68REgun0SRyaryM3nmfWjZ2NTZojVmKT9sKmFkzdKHGuSiumhdlXiP 4D4C3ZwD5rHlh5Db3g2bIsAlO3KWtZ7wKBJfmqiapzlrPqQ+OR4U+wDHi9ZQ37J1PV4sxmRZO80C Qs+MmXLGBnhfRnMqOQP64/8mz9e7p1IIM7N3iFSr+5+tSIbHOTemOZc12L+Gotrwcu1NovBkvrL8 kFz4TisLj5UtLIZjvIi2cI/lVGV272AANHOGCakEBlOmzTpGe2oz+eCabDpYGWnrD/3kUwbf8KEs N8XgIqGU5qkTj0h8Ke64DCFcXxpAP9fIoMh4yL9eGZNhIhy/fYtQJGI3IQbSPJxc53QeN1HjO1Xv hgo= =deOG -----END PGP SIGNATURE----- --EM4iyuFHz25fd1hNjENIlvrZ7QW9LPekL--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0f7e86c0-3592-0391-7e52-4e6d14bc1eb0>