Re: [External] : pfctl $nr incorrect macro expansion

[Kristof Provost]

On 15 Oct 2021, at 16:27, Alexandr Nedvedicky wrote:
Hello,
looks like it works as expected on OpenBSD current:

    lumpy# pfctl -sr
    pass quick on lo0 inet6 from ::1 to ::1 flags S/SA label "ruleNo: 
0"
    pass quick on lo0 inet from 127.0.0.0/8 to 127.0.0.0/8 flags S/SA 
label "ruleNo: 1"
    block drop quick all label "ruleNo: 2"
    lumpy# pfctl -sr -vvv
    @0 pass quick on lo0 inet6 from ::1 to ::1 flags S/SA label 
"ruleNo: 0"
      [ Evaluations: 1451      Packets: 0         Bytes: 0           
States: 0     ]
      [ Inserted: uid 0 pid 51504 State Creations: 0     ]
    @1 pass quick on lo0 inet from 127.0.0.0/8 to 127.0.0.0/8 flags 
S/SA label "ruleNo: 1"
      [ Evaluations: 0         Packets: 0         Bytes: 0           
States: 0     ]
      [ Inserted: uid 0 pid 51504 State Creations: 0     ]
    @2 block drop quick all label "ruleNo: 2"
      [ Evaluations: 1451      Packets: 1451      Bytes: 118304      
States: 0     ]
      [ Inserted: uid 0 pid 51504 State Creations: 0     ]


I’m afraid that OpenBSD is affected. Perhaps the optimiser is somewhat 
different, but if it triggers and removes rules the macro expansion is 
wrong. I’ve tested 6.8 and 7.0 with this pf.conf:

        #       $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
        #
        # See pf.conf(5) and /etc/examples/pf.conf

        #set skip on lo

        pass in on lo0 from 127.0.0.0/16
        pass in on lo0 from 127.1.0.0/16
        pass in on lo0 from 127.2.0.0/16
        pass in on lo0 from 127.3.0.0/16
        pass in on lo0 from 127.4.0.0/16
        pass in on lo0 from 127.5.0.0/16
        pass in on lo0 from 127.6.0.0/16
        pass in on lo0 from 127.7.0.0/16
        pass in on lo0 from 127.8.0.0/16
        pass in on lo0 from 127.9.0.0/16
        pass in on lo0 from 127.10.0.0/16
        pass in on lo0 from 127.11.0.0/16
        pass in on lo0 from 127.12.0.0/16
        pass in on lo0 from 127.13.0.0/16
        pass in on lo0 from 127.14.0.0/16
        pass in on lo0 from 127.15.0.0/16

        block return    # block stateless traffic
        pass label "ruleNo:$nr"               # establish keep-state

        # By default, do not permit remote connections to X11
        block return in on ! lo0 proto tcp to port 6000:6010

        # Port build user does not need network
        block return out log proto {tcp udp} user _pbuild

That results in `pfctl -sr`:

        pass in on lo0 inet from <__automatic_bbebfa54_0> to any flags S/SA
        block return all
        pass all flags S/SA label "ruleNo:17"
        block return in on ! lo0 proto tcp from any to any port 6000:6010
        block return out log proto tcp all user = 55
        block return out log proto udp all user = 55

Best regards,
Kristof