From owner-freebsd-current@freebsd.org Fri Nov 6 16:41:49 2015 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 93106A28B38 for ; Fri, 6 Nov 2015 16:41:49 +0000 (UTC) (envelope-from flo@smeets.xyz) Received: from mail-out.smeets.im (mail-out.smeets.im [5.9.17.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 25FF61C1F; Fri, 6 Nov 2015 16:41:48 +0000 (UTC) (envelope-from flo@smeets.xyz) Received: from mail.smeets.im (mail.smeets.im [IPv6:2a01:4f8:160:918a::25:3]) by mail-out.smeets.im (Postfix) with ESMTP id 2196115D2; Fri, 6 Nov 2015 17:41:40 +0100 (CET) Received: from amavis.smeets.im (amavis.smeets.im [IPv6:2a01:4f8:160:918a::aa:4]) by mail.smeets.im (Postfix) with ESMTP id 49AD4B05CE; Fri, 6 Nov 2015 17:41:40 +0100 (CET) Authentication-Results: mail.smeets.im; dkim=pass (1024-bit key; unprotected) header.d=smeets.xyz header.i=@smeets.xyz header.b=g7sShhx4 X-Virus-Scanned: amavisd-new at smeets.im Received: from mail.smeets.im ([IPv6:2a01:4f8:160:918a::25:3]) by amavis.smeets.im (amavis.smeets.im [IPv6:2a01:4f8:160:918a::aa:4]) (amavisd-new, port 10025) with ESMTP id 9ytmEHX8Ebwt; Fri, 6 Nov 2015 17:58:17 +0100 (CET) Received: from nibbler-wlan.home.lan (unknown [IPv6:2001:4dd0:fd65:d00d:999b:3692:bb59:b7cd]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mail.smeets.im (Postfix) with ESMTPSA id BE08FB059F; Fri, 6 Nov 2015 17:41:38 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=smeets.xyz; s=default; t=1446828099; bh=/cnZd/veS1K21xwjTKyQUjRzVidS4Axz9dlF7t87zyE=; h=Subject:To:References:Cc:From:Date:In-Reply-To; b=g7sShhx4DKOh1Ekbn3y8S4rzFylBiomWzIa0vmNdke+gCacgiPPGxAs0XNpmZC50B xBlurEqHT8zoI5Z1CaanYbs0A40r8Ar6RWO5OaGmbfjzcp7pFZwe8oGtChKUTvbWkX 1O5ICAnoEHywCqtM6rN4FtQcGa4hdmizFkq6xWVM= Subject: Re: r289932 causes pf reversion - breaks rules with broadcast destination To: Kristof Provost , Tom Uffner References: <563AB177.6030809@uffner.com> <563B944A.50905@uffner.com> <20151106160610.GB2336@vega.codepro.be> Cc: FreeBSD-Current From: Florian Smeets Message-ID: <563CD832.4000502@smeets.xyz> Date: Fri, 6 Nov 2015 17:41:22 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.0a1 MIME-Version: 1.0 In-Reply-To: <20151106160610.GB2336@vega.codepro.be> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="V036LBJe91SsvrxKWDr8rvDlXtNm4Eoto" X-Mailman-Approved-At: Fri, 06 Nov 2015 16:56:09 +0000 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Nov 2015 16:41:49 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --V036LBJe91SsvrxKWDr8rvDlXtNm4Eoto Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 06.11.15 17:06, Kristof Provost wrote: > I suspect I've also found the source of the problem: > pf_addr_wrap_neq() uses PF_ANEQ(), but sets address family 0. > As a result of the fix that now means we always return false there. >=20 > Can you give this a quick test: >=20 > diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c > index 1dfc37d..762b82e 100644 > --- a/sys/netpfil/pf/pf.c > +++ b/sys/netpfil/pf/pf.c > @@ -1973,9 +1973,9 @@ pf_addr_wrap_neq(struct pf_addr_wrap *aw1, struct= pf_addr_wrap *aw2) > switch (aw1->type) { > case PF_ADDR_ADDRMASK: > case PF_ADDR_RANGE: > - if (PF_ANEQ(&aw1->v.a.addr, &aw2->v.a.addr, 0)) > + if (PF_ANEQ(&aw1->v.a.addr, &aw2->v.a.addr, AF_INET6)) > return (1); > - if (PF_ANEQ(&aw1->v.a.mask, &aw2->v.a.mask, 0)) > + if (PF_ANEQ(&aw1->v.a.mask, &aw2->v.a.mask, AF_INET6)) > return (1); > return (0); > case PF_ADDR_DYNIFTL: >=20 I was affected by this, too. The patch above does indeed make my rule set work again. Thanks! Florian --V036LBJe91SsvrxKWDr8rvDlXtNm4Eoto Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQJ8BAEBCgBmBQJWPNhBXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBNzAxMDMyMDNCQ0FCNDRBOThGRUM4NDRF NzA1M0RGOUZGODZGMDc2AAoJEOcFPfn/hvB2Ed0P/A+llkmBMlPZMPcrz5S45r2h TfyoMrH6Z0mVCd2C5v6dejON1wmn0EMm/iU08IqpAsxc5jH/3qjQnAWmDe3A3+ce cofIUeVCZWficeJ1zT1C4opX+JrPNbhwkAQYf8Olzf5Fn24802rvcxRlvTcwOoFn t1fKyq3RkrOUnl4wBotzNBRJS79p9rABCXxpzJV1ntYh8Xbhn+lseE8DRebm7jqa dq+gqncKpPzLzXHpGXhMSRgV9KARiqJCSFbOIwKA5oJmEZwa8cfA65C/cNVzSTR4 H8metO145MPkDdRh3Xdi8uKcjdZQJ0E2A+RhmYBz1agPDqld5zJinpmBmUAsiJB4 MBwmZqyLREuCuQz6EEr8dRmxCF0VFk92gg0qAn8tkGINF8C4SGYsCOoUxJwr6BE5 F8SlX1Zhr0ICuIJSMLQw3HsZJD9v55r9LWUkq2MFiOuW22VjfvWlV3jo2NTc3XIx 0WI9M4it5icygaeelSPWOehcUayGyy70r1dAQGrX+A6OiV+p5R8pnBCoCvpipedi jwLdHs9FabEdIgC3npyK9dkXxSiFjkezAK6OiE8MQK7hZX1Rttdhr5JDKt6u1mAv scLz98KTUu/E7aiQFmgrQUNIzV8WwtlbzR/EIZq/n0sKrd7xdikALboj1+P92ShL Bb3xpP6mQgptE9mOzqAI =P7Jp -----END PGP SIGNATURE----- --V036LBJe91SsvrxKWDr8rvDlXtNm4Eoto--