Date: Sat, 24 Apr 2021 15:18:47 +0200 From: "Kristof Provost" <kp@FreeBSD.org> To: "Florian Smeets" <flo@smeets.xyz> Cc: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: Re: git: 5c11c5a36558 - main - pfctl: Move to DIOCADDRULENV Message-ID: <1B2EBD56-08CE-4854-BB3D-F20314247E1C@FreeBSD.org> In-Reply-To: <0f7e86c0-3592-0391-7e52-4e6d14bc1eb0@smeets.xyz> References: <202104100916.13A9GJpP068955@gitrepo.freebsd.org> <0f7e86c0-3592-0391-7e52-4e6d14bc1eb0@smeets.xyz>
next in thread | previous in thread | raw e-mail | index | archive | help
On 24 Apr 2021, at 14:12, Florian Smeets wrote: > On 10.04.21 11:16, Kristof Provost wrote: >> The branch main has been updated by kp: >> >> URL: >> https://cgit.FreeBSD.org/src/commit/?id=5c11c5a3655842a176124ef2334fcdf830422c8a >> >> commit 5c11c5a3655842a176124ef2334fcdf830422c8a >> Author: Kristof Provost <kp@FreeBSD.org> >> AuthorDate: 2021-03-12 17:03:14 +0000 >> Commit: Kristof Provost <kp@FreeBSD.org> >> CommitDate: 2021-04-10 09:16:01 +0000 >> >> pfctl: Move to DIOCADDRULENV >> Start using the new nvlist based ioctl to add rules. >> MFC after: 4 weeks >> Sponsored by: Rubicon Communications, LLC ("Netgate") >> Differential Revision: https://reviews.freebsd.org/D29558 > > Hi Kristof, > > this commit breaks my previously working rule set. Using a pfctl from > before this commit works with a kernel from yesterdays sources. > > This is the smallest rule set I could come up with. It doesn't matter > whether I use macros in the list or not. The int_if stuff is only > there to not lock myself out of the system. > > It looks like lists with more than 5 IPv6 host or 6 v4 hosts don't > work. > > int_if="em0" > set skip on $int_if > > # not working with pfctl after > 5c11c5a3655842a176124ef2334fcdf830422c8a > # each one of the rules below causes "pfctl: DIOCADDRULENV: Invalid > argument" on its own > pass in proto tcp to { fd01::1, fd01::2, fd01::3, fd01::4, fd01::5, > fd01::6 } port ssh > pass in proto tcp to { 192.168.0.1, 192.168.0.2, 192.168.0.4, > 192.168.0.4, 192.168.0.5, 192.168.0.6, 192.168.0.7 } port ssh > > # working fine with pfctl after > 5c11c5a3655842a176124ef2334fcdf830422c8a > pass in proto tcp to { fd01::1, fd01::2, fd01::3, fd01::4, fd01::5 } > port ssh > pass in proto tcp to { 192.168.0.1, 192.168.0.2, 192.168.0.4, > 192.168.0.4, 192.168.0.5, 192.168.0.6 } port ssh > > Another interesting point is the following rules work with -o none, > but not with -o basic, which I guess points to list or maybe table > handling? > > pass in proto tcp to 192.168.0.1 port ssh > pass in proto tcp to 192.168.0.2 port ssh > pass in proto tcp to 192.168.0.3 port ssh > pass in proto tcp to 192.168.0.4 port ssh > pass in proto tcp to 192.168.0.5 port ssh > pass in proto tcp to 192.168.0.6 port ssh > pass in proto tcp to 192.168.0.7 port ssh > > I think you should be able to reproduce this easily, if you need > anything else, please let me know. > Yeah, I see what’s happening here. The optimiser creates an automatic table, and the table name is longer than IFNAMSIZ. That’s fine, because it’s stored in a union that has tblname, which I sufficiently long for that name. The problem is that the nvlist code unconditionally reads the ifname as well, and the automatic name is longer than IFNAMSIZ. It’s a simple matter of (a) cursing the old pf data structures for being awful and (b) only reading ifname (or tblname) for the appropriate addr type. I’m testing a patch now. Best regards, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1B2EBD56-08CE-4854-BB3D-F20314247E1C>