https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=259689
Bug ID: 259689
Summary: pfctl -vs rule: invalid table record counters
Product: Base System
Version: 13.0-STABLE
Hardware: Any
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: bin
Assignee: [email protected]
Reporter: [email protected]
problem:
"pfctl -vvs rule/nat" shows invalid number of records in IP tables, even if 0.
IPv4 number of records in "from" tables always is "1076383888".
IPv4 number of records in "to" tables alwass is "12".
all this was tested on FreeBSD-13.0-STABLE-amd64-20211104-70cb6c34bb5
reproduce:
execute "pfctl -Pvvs rule" or "pfctl -Pvvs nat" with rules having IP tables in
from/to.
assumption:
some code change to sbin/pfctl between 2021/05 and 2021/09 causes this.
pfctl binary works on: 13.0-STABLE-amd64-20210527-024a9aa7010-245691.
pfctl binary buggy on: 13.0-STABLE-amd64-20210930-94ad8d7c7a3-247474.
pfctl binary buggy om: 13.0-STABLE-amd64-20211104-70cb6c34bb5-247975.
workaround:
copy /sbin/pfctl binary from e.g.
FreeBSD-13.0-STABLE-amd64-20210527-024a9aa7010-245691 (ELF 1300505).
this copy works as expected and the pfctl table record counters are shown
properly.
side info:
this was first observed with custom kernel, loader.conf and sysctl.conf being
tuned.
but when booting 20211104 with GENERIC and loader.conf/sysctl.conf wiped, it's
the same issue.
so i would believe, its neither related to the ruleset, the kernel or the base
OS libraries.
example output (table names and ports pseudonymized):
@1518 pass in quick on foo inet proto tcp from <foo_table_from:1076383888> port
= 6666 to <foo_table_to:12> port = 6666 flags S/SA modulate state tag TAGFOO
[ Evaluations: 55 Packets: 0 Bytes: 0 States: 0
]
[ Inserted: uid 0 pid 9903 State Creations: 0 ]
--
You are receiving this mail because:
You are the assignee for the bug.
