subject:"interface modifiers \:network and \:0 picking different subnets for IPv6"

Re: interface modifiers :network and :0 picking different subnets for IPv6

2020-01-28 Thread Paul de Weerd

Hi Richard,

On Tue, Jan 28, 2020 at 04:42:02PM +1300, richard.n.proc...@gmail.com wrote:
| Does the patch below help?

It does!  Great, thank you!

(tested on my test vm as that has a source tree checked out)

[weerd@test1] $ echo 'block in on vio0 proto { tcp, udp } from vio0:network to 
! vio0:0 port domain' | pfctl -nvf -
block drop in on vio0 inet proto tcp from 192.168.34.0/24 to ! 192.168.34.157 
port = 53
block drop in on vio0 inet proto udp from 192.168.34.0/24 to ! 192.168.34.157 
port = 53
block drop in on vio0 inet6 proto tcp from 2a02:898:28:200::/64 to ! 
fe80::fce1:bbff:fed1:c6d9 port = 53
block drop in on vio0 inet6 proto udp from 2a02:898:28:200::/64 to ! 
fe80::fce1:bbff:fed1:c6d9 port = 53
[weerd@test1] $ echo 'block in on vio0 proto { tcp, udp } from vio0:network to 
! vio0:0 port domain' | obj/pfctl -nvf -
block drop in on vio0 inet proto tcp from 192.168.34.0/24 to ! 192.168.34.157 
port = 53
block drop in on vio0 inet proto udp from 192.168.34.0/24 to ! 192.168.34.157 
port = 53
block drop in on vio0 inet6 proto tcp from 2a02:898:28:200::/64 to ! 
2a02:898:28:200:4706:3e7a:afb9:5137 port = 53
block drop in on vio0 inet6 proto udp from 2a02:898:28:200::/64 to ! 
2a02:898:28:200:4706:3e7a:afb9:5137 port = 53

Looks great and would be perfect to have in I think.  One rule to
concisely describe the behaviour I want :)

Thanks again!

Paul

| I think you have found an oversight in the original implementation of 
| ':0', which defines a non-alias as the first defined address (of the given 
| address family) [0]. The patch makes ':0' skip link-local addresses, 
| matching the behaviour of ':network'.
| 
| best, 
| Richard. 
| 
| [0] sbin/pfctl/pfctl_parser.c 1.186 ifa_lookup()
| 
| Index: sbin/pfctl/pfctl_parser.c
| ===
| RCS file: /cvs/src/sbin/pfctl/pfctl_parser.c,v
| retrieving revision 1.342
| diff -u -p -u -p -r1.342 pfctl_parser.c
| --- sbin/pfctl/pfctl_parser.c 17 Oct 2019 21:54:28 -  1.342
| +++ sbin/pfctl/pfctl_parser.c 28 Jan 2020 03:11:27 -
| @@ -1546,6 +1546,8 @@ ifa_lookup(const char *ifa_name, int fla
|   continue;
|   if ((flags & PFI_AFLAG_NETWORK) && p->ifindex > 0)
|   continue;
| + if ((flags & PFI_AFLAG_NOALIAS) && p->ifindex > 0)
| + continue;
|   if (last_if == NULL || strcmp(last_if, p->ifname))
|   got4 = got6 = 0;
|   last_if = p->ifname;

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/

Re: interface modifiers :network and :0 picking different subnets for IPv6

2020-01-27 Thread richard . n . procter




On Mon, 27 Jan 2020, Paul de Weerd wrote:

> Hi all,
> 
> Following up from my previous (PEBKAC) issue[1], I kept working on my
> ruleset.  I found, what I believe to be, another issue.  Here's the
> reduced ruleset that reproduces the problem:
> [snip details]
> 
> The problem is in the IPv6 rules.  Here "em1:network" expands to the
> global unicast network configured on the interface but "em1:0" expands
> to the link-local address.  This doesn't really make sense to me.  If
> both would expand to the link-local version, that would be unfortunate
> but understandable.  I'm hoping to have both expand to the global
> unicast version ("from 2a02:898:28:300::/64 to ! 2a02:898:28:300::1").
> 
> Why is pfctl picking different addresses for these two modifiers?
> [...] 
> Is there a way to tell pf to use the global unicast address for em1:0
> other than hardcoding the address in the ruleset?

Hi Paul, 

Does the patch below help?

I think you have found an oversight in the original implementation of 
':0', which defines a non-alias as the first defined address (of the given 
address family) [0]. The patch makes ':0' skip link-local addresses, 
matching the behaviour of ':network'.

best, 
Richard. 

[0] sbin/pfctl/pfctl_parser.c 1.186 ifa_lookup()

Index: sbin/pfctl/pfctl_parser.c
===
RCS file: /cvs/src/sbin/pfctl/pfctl_parser.c,v
retrieving revision 1.342
diff -u -p -u -p -r1.342 pfctl_parser.c
--- sbin/pfctl/pfctl_parser.c   17 Oct 2019 21:54:28 -  1.342
+++ sbin/pfctl/pfctl_parser.c   28 Jan 2020 03:11:27 -
@@ -1546,6 +1546,8 @@ ifa_lookup(const char *ifa_name, int fla
continue;
if ((flags & PFI_AFLAG_NETWORK) && p->ifindex > 0)
continue;
+   if ((flags & PFI_AFLAG_NOALIAS) && p->ifindex > 0)
+   continue;
if (last_if == NULL || strcmp(last_if, p->ifname))
got4 = got6 = 0;
last_if = p->ifname;

interface modifiers :network and :0 picking different subnets for IPv6

2020-01-27 Thread Paul de Weerd

Hi all,

Following up from my previous (PEBKAC) issue[1], I kept working on my
ruleset.  I found, what I believe to be, another issue.  Here's the
reduced ruleset that reproduces the problem:

[root@ferrari] # cat pf.tmp
IntIF=em1
# only allow DNS to the unbound instance listening on em1 (v4 and v6)
block in on $IntIF proto { tcp, udp } from $IntIF:network to ! $IntIF:0 port 
domain
[root@ferrari] # pfctl -nvf pf.tmp
IntIF = "em1"
block drop in on em1 inet6 proto tcp from 2a02:898:28:300::/64 to ! 
fe80::2e0:67ff:fe15:cc6d port = 53
block drop in on em1 inet6 proto udp from 2a02:898:28:300::/64 to ! 
fe80::2e0:67ff:fe15:cc6d port = 53
block drop in on em1 inet proto tcp from 192.168.150.0/24 to ! 192.168.150.1 
port = 53
block drop in on em1 inet proto udp from 192.168.150.0/24 to ! 192.168.150.1 
port = 53

The problem is in the IPv6 rules.  Here "em1:network" expands to the
global unicast network configured on the interface but "em1:0" expands
to the link-local address.  This doesn't really make sense to me.  If
both would expand to the link-local version, that would be unfortunate
but understandable.  I'm hoping to have both expand to the global
unicast version ("from 2a02:898:28:300::/64 to ! 2a02:898:28:300::1").

Why is pfctl picking different addresses for these two modifiers?

This is the interface configuration:

[root@ferrari] # ifconfig em1
em1: flags=808843 mtu 1500
lladdr 00:e0:67:15:cc:6d
description: LAN
index 2 priority 0 llprio 3
groups: lan
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
inet6 fe80::2e0:67ff:fe15:cc6d%em1 prefixlen 64 scopeid 0x2
inet6 2a02:898:28:300::1 prefixlen 64
inet6 2a02:898:28:300::2 prefixlen 128
inet 192.168.150.1 netmask 0xff00 broadcast 192.168.150.255
inet 192.168.150.2 netmask 0x

Is there a way to tell pf to use the global unicast address for em1:0
other than hardcoding the address in the ruleset?

Cheers,

Paul 'WEiRD' de Weerd

[1]: https://marc.info/?l=openbsd-misc=157994923220390=2

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/

Re: interface modifiers :network and :0 picking different subnets for IPv6

Re: interface modifiers :network and :0 picking different subnets for IPv6

interface modifiers :network and :0 picking different subnets for IPv6

3 matches

Site Navigation

Mail list logo

Footer information