Date: Wed, 06 May 2026 19:56:07 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 295064] pfctl: rejects digit-prefixed interface names in dynamic address references Message-ID: <bug-295064-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=295064 Bug ID: 295064 Summary: pfctl: rejects digit-prefixed interface names in dynamic address references Product: Base System Version: 15.1-STABLE Hardware: amd64 OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: hayzam@alchemilla.io FreeBSD allows cloned interfaces such as bridges to be renamed to names that begin with a digit. For example: # ifconfig bridge create bridge0 # ifconfig bridge0 name 4igTLYjs # ifconfig 4igTLYjs 4igTLYjs: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 description: test options=10<VLAN_HWTAGGING> ether 58:9c:fc:10:f8:0a id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 bridge flags=0<> groups: bridge nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> However, pfctl appears to reject the same interface name when it is used as a dynamic interface-address reference in a PF NAT rule. For example: nat on 4igTLYjs from 10.0.0.0/24 to any -> (4igTLYjs) The interface name is accepted in the `on 4igTLYjs` portion of the rule, but appears to fail when referenced as `(4igTLYjs)`. Steps to reproduce: 1. Create a bridge interface: # ifconfig bridge create 2. Rename it to a name beginning with a digit: # ifconfig bridge0 name 4igTLYjs 3. Add the following PF rule: nat on 4igTLYjs from 10.0.0.0/24 to any -> (4igTLYjs) 4. Validate or load the ruleset: # pfctl -nf /etc/pf.conf Actual result: pfctl rejects or fails to parse the rule when the digit-prefixed interface name is used inside parentheses as a dynamic interface-address reference. Expected result: pfctl should consistently accept interface names that can exist on the system, including names beginning with digits, or the restriction should be documented and enforced consistently elsewhere. Notes: This creates a mismatch between the network interface layer and PF. Software that generates interface names automatically may create valid interface names accepted by ifconfig, but those names can later fail when used in PF NAT rules. This is especially easy to hit when using hash-derived interface names, since the generated name may occasionally begin with a digit. -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-295064-227>