Re: interface modifiers :network and :0 picking different subnets for IPv6
Hi Richard, On Tue, Jan 28, 2020 at 04:42:02PM +1300, richard.n.proc...@gmail.com wrote: | Does the patch below help? It does! Great, thank you! (tested on my test vm as that has a source tree checked out) [weerd@test1] $ echo 'block in on vio0 proto { tcp, udp } from vio0:network to ! vio0:0 port domain' | pfctl -nvf - block drop in on vio0 inet proto tcp from 192.168.34.0/24 to ! 192.168.34.157 port = 53 block drop in on vio0 inet proto udp from 192.168.34.0/24 to ! 192.168.34.157 port = 53 block drop in on vio0 inet6 proto tcp from 2a02:898:28:200::/64 to ! fe80::fce1:bbff:fed1:c6d9 port = 53 block drop in on vio0 inet6 proto udp from 2a02:898:28:200::/64 to ! fe80::fce1:bbff:fed1:c6d9 port = 53 [weerd@test1] $ echo 'block in on vio0 proto { tcp, udp } from vio0:network to ! vio0:0 port domain' | obj/pfctl -nvf - block drop in on vio0 inet proto tcp from 192.168.34.0/24 to ! 192.168.34.157 port = 53 block drop in on vio0 inet proto udp from 192.168.34.0/24 to ! 192.168.34.157 port = 53 block drop in on vio0 inet6 proto tcp from 2a02:898:28:200::/64 to ! 2a02:898:28:200:4706:3e7a:afb9:5137 port = 53 block drop in on vio0 inet6 proto udp from 2a02:898:28:200::/64 to ! 2a02:898:28:200:4706:3e7a:afb9:5137 port = 53 Looks great and would be perfect to have in I think. One rule to concisely describe the behaviour I want :) Thanks again! Paul | I think you have found an oversight in the original implementation of | ':0', which defines a non-alias as the first defined address (of the given | address family) [0]. The patch makes ':0' skip link-local addresses, | matching the behaviour of ':network'. | | best, | Richard. | | [0] sbin/pfctl/pfctl_parser.c 1.186 ifa_lookup() | | Index: sbin/pfctl/pfctl_parser.c | === | RCS file: /cvs/src/sbin/pfctl/pfctl_parser.c,v | retrieving revision 1.342 | diff -u -p -u -p -r1.342 pfctl_parser.c | --- sbin/pfctl/pfctl_parser.c 17 Oct 2019 21:54:28 - 1.342 | +++ sbin/pfctl/pfctl_parser.c 28 Jan 2020 03:11:27 - | @@ -1546,6 +1546,8 @@ ifa_lookup(const char *ifa_name, int fla | continue; | if ((flags & PFI_AFLAG_NETWORK) && p->ifindex > 0) | continue; | + if ((flags & PFI_AFLAG_NOALIAS) && p->ifindex > 0) | + continue; | if (last_if == NULL || strcmp(last_if, p->ifname)) | got4 = got6 = 0; | last_if = p->ifname; -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: interface modifiers :network and :0 picking different subnets for IPv6
On Mon, 27 Jan 2020, Paul de Weerd wrote: > Hi all, > > Following up from my previous (PEBKAC) issue[1], I kept working on my > ruleset. I found, what I believe to be, another issue. Here's the > reduced ruleset that reproduces the problem: > [snip details] > > The problem is in the IPv6 rules. Here "em1:network" expands to the > global unicast network configured on the interface but "em1:0" expands > to the link-local address. This doesn't really make sense to me. If > both would expand to the link-local version, that would be unfortunate > but understandable. I'm hoping to have both expand to the global > unicast version ("from 2a02:898:28:300::/64 to ! 2a02:898:28:300::1"). > > Why is pfctl picking different addresses for these two modifiers? > [...] > Is there a way to tell pf to use the global unicast address for em1:0 > other than hardcoding the address in the ruleset? Hi Paul, Does the patch below help? I think you have found an oversight in the original implementation of ':0', which defines a non-alias as the first defined address (of the given address family) [0]. The patch makes ':0' skip link-local addresses, matching the behaviour of ':network'. best, Richard. [0] sbin/pfctl/pfctl_parser.c 1.186 ifa_lookup() Index: sbin/pfctl/pfctl_parser.c === RCS file: /cvs/src/sbin/pfctl/pfctl_parser.c,v retrieving revision 1.342 diff -u -p -u -p -r1.342 pfctl_parser.c --- sbin/pfctl/pfctl_parser.c 17 Oct 2019 21:54:28 - 1.342 +++ sbin/pfctl/pfctl_parser.c 28 Jan 2020 03:11:27 - @@ -1546,6 +1546,8 @@ ifa_lookup(const char *ifa_name, int fla continue; if ((flags & PFI_AFLAG_NETWORK) && p->ifindex > 0) continue; + if ((flags & PFI_AFLAG_NOALIAS) && p->ifindex > 0) + continue; if (last_if == NULL || strcmp(last_if, p->ifname)) got4 = got6 = 0; last_if = p->ifname;