On Sun, Sep 20, 2020 at 07:29:38PM +0200, Klemens Nanni wrote:
> Rebased diff after yasouka's pfctl commit; it still takes care of
> rdomains only, but I'd appreciate folks using `on rdomain' in their
> pf.conf test this. If this works out I'd like to put it in shortly
> after release and work on rtables next.
Working for me so far, anyone else playing around with it?
I also checked CVS log and the existing rtable_l2() check goes back to
claudio's introduction of `on rdomain N' in pf, i.e. it's been there
from the start as a harmless but needless check and has not been added
after the fact to fix anything.
The time is now, so here's an updated diff after sashan pointed out how
I erroneously checked the rtable ID instead of the rdomain ID in the
ioctl (copy/pasta mistake).
Feedback? OK?
Index: sys/net/pf_ioctl.c
===================================================================
RCS file: /cvs/src/sys/net/pf_ioctl.c,v
retrieving revision 1.356
diff -u -p -r1.356 pf_ioctl.c
--- sys/net/pf_ioctl.c 24 Aug 2020 15:41:15 -0000 1.356
+++ sys/net/pf_ioctl.c 30 Sep 2020 20:48:34 -0000
@@ -2820,10 +2820,8 @@ pf_rule_copyin(struct pf_rule *from, str
if (to->rtableid >= 0 && !rtable_exists(to->rtableid))
return (EBUSY);
to->onrdomain = from->onrdomain;
- if (to->onrdomain >= 0 && !rtable_exists(to->onrdomain))
- return (EBUSY);
- if (to->onrdomain >= 0) /* make sure it is a real rdomain */
- to->onrdomain = rtable_l2(to->onrdomain);
+ if (to->onrdomain < 0 || to->onrdomain > RT_TABLEID_MAX)
+ return (EINVAL);
for (i = 0; i < PFTM_MAX; i++)
to->timeout[i] = from->timeout[i];
Index: sbin/pfctl/parse.y
===================================================================
RCS file: /cvs/src/sbin/pfctl/parse.y,v
retrieving revision 1.703
diff -u -p -r1.703 parse.y
--- sbin/pfctl/parse.y 17 Sep 2020 14:26:59 -0000 1.703
+++ sbin/pfctl/parse.y 20 Sep 2020 17:28:10 -0000
@@ -1216,7 +1216,7 @@ antispoof_opt : LABEL label {
if ($2 < 0 || $2 > RT_TABLEID_MAX) {
yyerror("invalid rtable id");
YYERROR;
- } else if (lookup_rtable($2) < 1) {
+ } else if (!lookup_rtable($2)) {
yyerror("rtable %lld does not exist", $2);
YYERROR;
}
@@ -2003,7 +2003,7 @@ filter_opt : USER uids {
if ($2 < 0 || $2 > RT_TABLEID_MAX) {
yyerror("invalid rtable id");
YYERROR;
- } else if (lookup_rtable($2) < 1) {
+ } else if (!lookup_rtable($2)) {
yyerror("rtable %lld does not exist", $2);
YYERROR;
}
@@ -2481,8 +2481,6 @@ if_item : STRING {
| RDOMAIN NUMBER {
if ($2 < 0 || $2 > RT_TABLEID_MAX)
yyerror("rdomain %lld outside range", $2);
- else if (lookup_rtable($2) != 2)
- yyerror("rdomain %lld does not exist", $2);
$$ = calloc(1, sizeof(struct node_if));
if ($$ == NULL)
@@ -5899,10 +5897,6 @@ lookup_rtable(u_int rtableid)
return 0;
}
err(1, "%s", __func__);
- }
- if (info.rti_domainid == rtableid) {
- found[rtableid] = 2;
- return 2;
}
found[rtableid] = 1;
return 1;
