Date: Sat, 24 Apr 2021 16:01:07 +0200 From: "Kristof Provost" <kp@FreeBSD.org> To: "Florian Smeets" <flo@smeets.xyz> Cc: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: Re: git: 5c11c5a36558 - main - pfctl: Move to DIOCADDRULENV Message-ID: <23A87E17-BB7C-4DB4-9C60-6F2106204E95@FreeBSD.org> In-Reply-To: <1B2EBD56-08CE-4854-BB3D-F20314247E1C@FreeBSD.org> References: <202104100916.13A9GJpP068955@gitrepo.freebsd.org> <0f7e86c0-3592-0391-7e52-4e6d14bc1eb0@smeets.xyz> <1B2EBD56-08CE-4854-BB3D-F20314247E1C@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 24 Apr 2021, at 15:18, Kristof Provost wrote: > On 24 Apr 2021, at 14:12, Florian Smeets wrote: >> On 10.04.21 11:16, Kristof Provost wrote: >>> The branch main has been updated by kp: >>> >>> URL: = >>> https://cgit.FreeBSD.org/src/commit/?id=3D5c11c5a3655842a176124ef2334= fcdf830422c8a >>> >>> commit 5c11c5a3655842a176124ef2334fcdf830422c8a >>> Author: Kristof Provost <kp@FreeBSD.org> >>> AuthorDate: 2021-03-12 17:03:14 +0000 >>> Commit: Kristof Provost <kp@FreeBSD.org> >>> CommitDate: 2021-04-10 09:16:01 +0000 >>> >>> pfctl: Move to DIOCADDRULENV >>> Start using the new nvlist based ioctl to add rules. >>> MFC after: 4 weeks >>> Sponsored by: Rubicon Communications, LLC ("Netgate") >>> Differential Revision: https://reviews.freebsd.org/D29558 >> >> Hi Kristof, >> >> this commit breaks my previously working rule set. Using a pfctl from = >> before this commit works with a kernel from yesterdays sources. >> >> This is the smallest rule set I could come up with. It doesn't matter = >> whether I use macros in the list or not. The int_if stuff is only = >> there to not lock myself out of the system. >> >> It looks like lists with more than 5 IPv6 host or 6 v4 hosts don't = >> work. >> >> int_if=3D"em0" >> set skip on $int_if >> >> # not working with pfctl after = >> 5c11c5a3655842a176124ef2334fcdf830422c8a >> # each one of the rules below causes "pfctl: DIOCADDRULENV: Invalid = >> argument" on its own >> pass in proto tcp to { fd01::1, fd01::2, fd01::3, fd01::4, fd01::5, = >> fd01::6 } port ssh >> pass in proto tcp to { 192.168.0.1, 192.168.0.2, 192.168.0.4, = >> 192.168.0.4, 192.168.0.5, 192.168.0.6, 192.168.0.7 } port ssh >> >> # working fine with pfctl after = >> 5c11c5a3655842a176124ef2334fcdf830422c8a >> pass in proto tcp to { fd01::1, fd01::2, fd01::3, fd01::4, fd01::5 } = >> port ssh >> pass in proto tcp to { 192.168.0.1, 192.168.0.2, 192.168.0.4, = >> 192.168.0.4, 192.168.0.5, 192.168.0.6 } port ssh >> >> Another interesting point is the following rules work with -o none, = >> but not with -o basic, which I guess points to list or maybe table = >> handling? >> >> pass in proto tcp to 192.168.0.1 port ssh >> pass in proto tcp to 192.168.0.2 port ssh >> pass in proto tcp to 192.168.0.3 port ssh >> pass in proto tcp to 192.168.0.4 port ssh >> pass in proto tcp to 192.168.0.5 port ssh >> pass in proto tcp to 192.168.0.6 port ssh >> pass in proto tcp to 192.168.0.7 port ssh >> >> I think you should be able to reproduce this easily, if you need = >> anything else, please let me know. >> > Yeah, I see what=E2=80=99s happening here. The optimiser creates an = > automatic table, and the table name is longer than IFNAMSIZ. That=E2=80= =99s = > fine, because it=E2=80=99s stored in a union that has tblname, which I = > sufficiently long for that name. The problem is that the nvlist code = > unconditionally reads the ifname as well, and the automatic name is = > longer than IFNAMSIZ. > It=E2=80=99s a simple matter of (a) cursing the old pf data structures = for = > being awful and (b) only reading ifname (or tblname) for the = > appropriate addr type. > > I=E2=80=99m testing a patch now. > https://reviews.freebsd.org/D29962 Best regards, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?23A87E17-BB7C-4DB4-9C60-6F2106204E95>