On 21 Oct 2021, at 20:33, Alexandr Nedvedicky wrote: > Hello, > >> I’ve had a bug report against FreeBSD’s pfctl which I think also applies to >> OpenBSD. >> >> The gist of it is that the macro expansion in labels/tags is done prior to >> the rule optimisation, which means that at least the $nr expansion can be >> wrong. > > I agree OpenBSD suffers from the same issue. Below is a diff for OpenBSD. > The FreeBSD diff, which we got from Kristof, merged with rejects. While > dealing with them, I came with slightly different version of the fix, > which > minimizes diff. > I’d initially gone that route as well, but decided I wanted all of the macro expansions to be done at the same time. In part to keep things simple, but also because I wasn’t 100% sure the rule number one would be the only one with issues. For example, if the optimiser decides to merge rules because it can merge address ranges $srcaddr or $dstaddr might end up being wrong.
I didn’t test this though, so I’m not 100% it really would be a problem. Labels are considered barriers to optimisation it seems, but tags are not, so I could see something like “pass from 127.0.0.0/16 tag from:$srcaddr and “pass from 127.1.0.0/16 tag from:$srcaddr” ending up doing strange things. Best regards, Kristof
