Hello,
On Fri, Oct 22, 2021 at 02:47:07PM +0200, Kristof Provost wrote:
> On 21 Oct 2021, at 20:33, Alexandr Nedvedicky wrote:
> > Hello,
> >
> >> I’ve had a bug report against FreeBSD’s pfctl which I think also applies
> >> to OpenBSD.
> >>
> >> The gist of it is that the macro expansion in labels/tags is done prior to
> >> the rule optimisation, which means that at least the $nr expansion can be
> >> wrong.
> >
> > I agree OpenBSD suffers from the same issue. Below is a diff for
> > OpenBSD.
> > The FreeBSD diff, which we got from Kristof, merged with rejects. While
> > dealing with them, I came with slightly different version of the fix,
> > which
> > minimizes diff.
> >
> I’d initially gone that route as well, but decided I wanted all of the macro
> expansions to be done at the same time. In part to keep things simple, but
> also because I wasn’t 100% sure the rule number one would be the only one
> with issues. For example, if the optimiser decides to merge rules because it
> can merge address ranges $srcaddr or $dstaddr might end up being wrong.
Klemens (kn@...) and I poked into it for a bit and it looks like optimizer
won't attempt to merge rules, which have a label. I also prefer to take
just necessary steps to fix bugs.
regards
sashan
