Hello Kristof,
</snip>
> I’m afraid that OpenBSD is affected. Perhaps the optimiser is somewhat
> different, but if it triggers and removes rules the macro expansion is
> wrong. I’ve tested 6.8 and 7.0 with this pf.conf:
>
> # $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
> #
> # See pf.conf(5) and /etc/examples/pf.conf
>
> #set skip on lo
>
> pass in on lo0 from 127.0.0.0/16
> pass in on lo0 from 127.1.0.0/16
> pass in on lo0 from 127.2.0.0/16
> pass in on lo0 from 127.3.0.0/16
> pass in on lo0 from 127.4.0.0/16
> pass in on lo0 from 127.5.0.0/16
> pass in on lo0 from 127.6.0.0/16
> pass in on lo0 from 127.7.0.0/16
> pass in on lo0 from 127.8.0.0/16
> pass in on lo0 from 127.9.0.0/16
> pass in on lo0 from 127.10.0.0/16
> pass in on lo0 from 127.11.0.0/16
> pass in on lo0 from 127.12.0.0/16
> pass in on lo0 from 127.13.0.0/16
> pass in on lo0 from 127.14.0.0/16
> pass in on lo0 from 127.15.0.0/16
>
> block return # block stateless traffic
> pass label "ruleNo:$nr" # establish keep-state
>
> # By default, do not permit remote connections to X11
> block return in on ! lo0 proto tcp to port 6000:6010
>
> # Port build user does not need network
> block return out log proto {tcp udp} user _pbuild
>
> That results in `pfctl -sr`:
>
> pass in on lo0 inet from <__automatic_bbebfa54_0> to any flags S/SA
> block return all
> pass all flags S/SA label "ruleNo:17"
> block return in on ! lo0 proto tcp from any to any port 6000:6010
> block return out log proto tcp all user = 55
> block return out log proto udp all user = 55
>
thank you for details. I'll take a look at it. hopefully over the weekend
or next week.
regards
sashan
