Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 27 Apr 2021 11:07:01 +0200
From:      "Kristof Provost" <kp@FreeBSD.org>
To:        "Peter =?utf-8?q?Ankerst=C3=A5l?=" <peter@pean.org>
Cc:        "stable@freebsd.org" <stable@FreeBSD.org>
Subject:   Re: using interface groups in pf tables stopped working in 13.0-RELEASE
Message-ID:  <75C439F6-E778-47AE-8BD9-20FEDE129EB7@FreeBSD.org>
In-Reply-To: <E2EBBE3E-7F2E-4E4A-AAB0-E59B19A350E3@FreeBSD.org>
References:  <431C3D85-C754-4E1C-94E0-333DE254F0AC@pean.org> <E2EBBE3E-7F2E-4E4A-AAB0-E59B19A350E3@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 16 Apr 2021, at 17:58, Kristof Provost wrote:
> On 14 Apr 2021, at 16:16, Peter Ankerstål wrote:
>> In pf I use the interface group syntax alot to make the configuration 
>> more readable. All interfaces are assigned to a group representing 
>> its use/vlan name.
>>
>> For example:
>>
>> ifconfig_igb1_102="172.22.0.1/24 group iot description 'iot vlan' up"
>> ifconfig_igb1_102_ipv6="inet6 2001:470:de59:22::1/64"
>>
>> ifconfig_igb1_300="172.26.0.1/24 group mgmt description 'mgmt vlan’ 
>> up"
>> ifconfig_igb1_300_ipv6="inet6 2001:470:de59:26::1/64”
>>
>> in pf.conf I use these group names all over the place. But since I 
>> upgraded to 13.0-RELEASE it no longer works to define a table using 
>> the :network syntax and interface groups:
>>
>> table   <nat_addresses> const { trusted:network mgmt:network 
>> dmz:network guest:network edmz:network \
>>         admin:network iot:network client:network }
>>
>> If I reload the configuration I get the following:
>> # pfctl -f /etc/pf.conf
>> /etc/pf.conf:12: cannot create address buffer: Invalid argument
>> pfctl: Syntax error in config file: pf rules not loaded
>>
> I can reproduce that.
>
> It looks like there’s some confusion inside pfctl about the network 
> group. It ends up in pfctl_parser.c, append_addr_host(), and expects 
> an AF_INET or AF_INET6, but instead gets an AF_LINK.
>
> It’s probably related to 250994 or possibly 
> d2568b024da283bd2b88a633eecfc9abf240b3d8.
> Either way it’s pretty deep in a part of the pfctl code I don’t 
> much like. I’ll try to poke at it some more over the weekend.
>
It should be fixed as of d5b08e13dd6beb3436e181ff1f3e034cc8186584 in 
main. I’ll MFC that in about a week, and then it’ll turn up in 13.1 
in the fullness of time.

Best regards,
Kristof

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?75C439F6-E778-47AE-8BD9-20FEDE129EB7>