From owner-dev-commits-src-all@freebsd.org Sat Apr 24 14:01:10 2021 Return-Path: Delivered-To: dev-commits-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1F06D62180A; Sat, 24 Apr 2021 14:01:10 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FSCVt0SRWz3D4k; Sat, 24 Apr 2021 14:01:10 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx1.codepro.be", Issuer "R3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id DB4D329DC6; Sat, 24 Apr 2021 14:01:09 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id 610D33EDDD; Sat, 24 Apr 2021 16:01:08 +0200 (CEST) From: "Kristof Provost" To: "Florian Smeets" Cc: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: Re: git: 5c11c5a36558 - main - pfctl: Move to DIOCADDRULENV Date: Sat, 24 Apr 2021 16:01:07 +0200 X-Mailer: MailMate (1.13.2r5673) Message-ID: <23A87E17-BB7C-4DB4-9C60-6F2106204E95@FreeBSD.org> In-Reply-To: <1B2EBD56-08CE-4854-BB3D-F20314247E1C@FreeBSD.org> References: <202104100916.13A9GJpP068955@gitrepo.freebsd.org> <0f7e86c0-3592-0391-7e52-4e6d14bc1eb0@smeets.xyz> <1B2EBD56-08CE-4854-BB3D-F20314247E1C@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: quoted-printable X-BeenThere: dev-commits-src-all@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commit messages for all branches of the src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Apr 2021 14:01:10 -0000 On 24 Apr 2021, at 15:18, Kristof Provost wrote: > On 24 Apr 2021, at 14:12, Florian Smeets wrote: >> On 10.04.21 11:16, Kristof Provost wrote: >>> The branch main has been updated by kp: >>> >>> URL: = >>> https://cgit.FreeBSD.org/src/commit/?id=3D5c11c5a3655842a176124ef2334= fcdf830422c8a >>> >>> commit 5c11c5a3655842a176124ef2334fcdf830422c8a >>> Author: Kristof Provost >>> AuthorDate: 2021-03-12 17:03:14 +0000 >>> Commit: Kristof Provost >>> CommitDate: 2021-04-10 09:16:01 +0000 >>> >>> pfctl: Move to DIOCADDRULENV >>> Start using the new nvlist based ioctl to add rules. >>> MFC after: 4 weeks >>> Sponsored by: Rubicon Communications, LLC ("Netgate") >>> Differential Revision: https://reviews.freebsd.org/D29558 >> >> Hi Kristof, >> >> this commit breaks my previously working rule set. Using a pfctl from = >> before this commit works with a kernel from yesterdays sources. >> >> This is the smallest rule set I could come up with. It doesn't matter = >> whether I use macros in the list or not. The int_if stuff is only = >> there to not lock myself out of the system. >> >> It looks like lists with more than 5 IPv6 host or 6 v4 hosts don't = >> work. >> >> int_if=3D"em0" >> set skip on $int_if >> >> # not working with pfctl after = >> 5c11c5a3655842a176124ef2334fcdf830422c8a >> # each one of the rules below causes "pfctl: DIOCADDRULENV: Invalid = >> argument" on its own >> pass in proto tcp to { fd01::1, fd01::2, fd01::3, fd01::4, fd01::5, = >> fd01::6 } port ssh >> pass in proto tcp to { 192.168.0.1, 192.168.0.2, 192.168.0.4, = >> 192.168.0.4, 192.168.0.5, 192.168.0.6, 192.168.0.7 } port ssh >> >> # working fine with pfctl after = >> 5c11c5a3655842a176124ef2334fcdf830422c8a >> pass in proto tcp to { fd01::1, fd01::2, fd01::3, fd01::4, fd01::5 } = >> port ssh >> pass in proto tcp to { 192.168.0.1, 192.168.0.2, 192.168.0.4, = >> 192.168.0.4, 192.168.0.5, 192.168.0.6 } port ssh >> >> Another interesting point is the following rules work with -o none, = >> but not with -o basic, which I guess points to list or maybe table = >> handling? >> >> pass in proto tcp to 192.168.0.1 port ssh >> pass in proto tcp to 192.168.0.2 port ssh >> pass in proto tcp to 192.168.0.3 port ssh >> pass in proto tcp to 192.168.0.4 port ssh >> pass in proto tcp to 192.168.0.5 port ssh >> pass in proto tcp to 192.168.0.6 port ssh >> pass in proto tcp to 192.168.0.7 port ssh >> >> I think you should be able to reproduce this easily, if you need = >> anything else, please let me know. >> > Yeah, I see what=E2=80=99s happening here. The optimiser creates an = > automatic table, and the table name is longer than IFNAMSIZ. That=E2=80= =99s = > fine, because it=E2=80=99s stored in a union that has tblname, which I = > sufficiently long for that name. The problem is that the nvlist code = > unconditionally reads the ifname as well, and the automatic name is = > longer than IFNAMSIZ. > It=E2=80=99s a simple matter of (a) cursing the old pf data structures = for = > being awful and (b) only reading ifname (or tblname) for the = > appropriate addr type. > > I=E2=80=99m testing a patch now. > https://reviews.freebsd.org/D29962 Best regards, Kristof