On 24 Apr 2021, at 15:18, Kristof Provost wrote:
On 24 Apr 2021, at 14:12, Florian Smeets wrote:
On 10.04.21 11:16, Kristof Provost wrote:
The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=5c11c5a3655842a176124ef2334fcdf830422c8a
commit 5c11c5a3655842a176124ef2334fcdf830422c8a
Author: Kristof Provost <[email protected]>
AuthorDate: 2021-03-12 17:03:14 +0000
Commit: Kristof Provost <[email protected]>
CommitDate: 2021-04-10 09:16:01 +0000
pfctl: Move to DIOCADDRULENV
Start using the new nvlist based ioctl to add rules.
MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29558
Hi Kristof,
this commit breaks my previously working rule set. Using a pfctl from
before this commit works with a kernel from yesterdays sources.
This is the smallest rule set I could come up with. It doesn't matter
whether I use macros in the list or not. The int_if stuff is only
there to not lock myself out of the system.
It looks like lists with more than 5 IPv6 host or 6 v4 hosts don't
work.
int_if="em0"
set skip on $int_if
# not working with pfctl after
5c11c5a3655842a176124ef2334fcdf830422c8a
# each one of the rules below causes "pfctl: DIOCADDRULENV: Invalid
argument" on its own
pass in proto tcp to { fd01::1, fd01::2, fd01::3, fd01::4, fd01::5,
fd01::6 } port ssh
pass in proto tcp to { 192.168.0.1, 192.168.0.2, 192.168.0.4,
192.168.0.4, 192.168.0.5, 192.168.0.6, 192.168.0.7 } port ssh
# working fine with pfctl after
5c11c5a3655842a176124ef2334fcdf830422c8a
pass in proto tcp to { fd01::1, fd01::2, fd01::3, fd01::4, fd01::5 }
port ssh
pass in proto tcp to { 192.168.0.1, 192.168.0.2, 192.168.0.4,
192.168.0.4, 192.168.0.5, 192.168.0.6 } port ssh
Another interesting point is the following rules work with -o none,
but not with -o basic, which I guess points to list or maybe table
handling?
pass in proto tcp to 192.168.0.1 port ssh
pass in proto tcp to 192.168.0.2 port ssh
pass in proto tcp to 192.168.0.3 port ssh
pass in proto tcp to 192.168.0.4 port ssh
pass in proto tcp to 192.168.0.5 port ssh
pass in proto tcp to 192.168.0.6 port ssh
pass in proto tcp to 192.168.0.7 port ssh
I think you should be able to reproduce this easily, if you need
anything else, please let me know.
Yeah, I see what’s happening here. The optimiser creates an
automatic table, and the table name is longer than IFNAMSIZ. That’s
fine, because it’s stored in a union that has tblname, which I
sufficiently long for that name. The problem is that the nvlist code
unconditionally reads the ifname as well, and the automatic name is
longer than IFNAMSIZ.
It’s a simple matter of (a) cursing the old pf data structures for
being awful and (b) only reading ifname (or tblname) for the
appropriate addr type.
I’m testing a patch now.
https://reviews.freebsd.org/D29962
Best regards,
Kristof
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all
To unsubscribe, send any mail to "[email protected]"
