[Bug 282863] pf(4): Cannot add multiple filtering rules with IP address range

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 282863] pf(4): Cannot add multiple filtering rules with IP address range"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 19 Nov 2024 14:36:58 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=282863

            Bug ID: 282863
           Summary: pf(4): Cannot add multiple filtering rules with IP
                    address range
           Product: Base System
           Version: 14.2-STABLE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: sergey.koupreyenko@gmail.com

How to reproduce:
1) Use the pf.conf file below

set skip on lo0
set block-policy drop
set loginterface pflog0
set ruleset-optimization none

block in on net16
pass out on net16

pass in quick on net16 inet from 10.41.2.130 to any no state
pass in quick on net16 inet from 10.41.2.128 - 10.41.2.191 to any no state
pass in quick on net16 inet from 10.1.0.128 - 10.1.0.145 to any no state
pass in quick on net16 inet from 10.42.1.128 - 10.42.1.145 to any no state
pass in quick on net16 inet from 192.168.78.254 to any no state
pass in quick on net16 inet from 10.41.2.128/26 to any no state
pass in quick on net16 inet from 10.1.0.0/16 to any no state
pass in quick on net16 inet from 10.1.1.0/24 to any no state

2) Enter the command (pf(4) service is enabled)
pfctl -vvv -F all -f /path/to/pf.conf

No ALTQ support in kernel
ALTQ related functions disabled
Ethernet rules cleared
rules cleared
nat cleared
1 tables deleted.
0 states cleared
source tracking entries cleared
pf: statistics cleared
pf: interface flags reset
Loaded 762 passive OS fingerprints
table <fnp4_acl> persist { 10.41.2.130 }
set skip on { lo0 }
set block-policy drop
set loginterface pflog0
@0 block drop in on net16 all
@1 pass out on net16 all flags S/SA keep state
@2 pass in quick on net16 inet from 10.41.2.130 to any no state
@3 pass in quick on net16 inet from 10.41.2.128 - 10.41.2.191 to any no state
@4 pass in quick on net16 inet from 10.1.0.128 - 10.1.0.145 to any no state --
rule was already present
@5 pass in quick on net16 inet from 10.42.1.128 - 10.42.1.145 to any no state
-- rule was already present
@6 pass in quick on net16 inet from 192.168.78.254 to any no state
@7 pass in quick on net16 inet from 10.41.2.128/26 to any no state
@8 pass in quick on net16 inet from 10.1.0.0/16 to any no state
@9 pass in quick on net16 inet from 10.1.1.0/24 to any no state

Rules @4 and @5 is marked as "rule was already present". Why?

3) Show the result
pfctl -s rules

block drop in on net16 all
pass out on net16 all flags S/SA keep state
pass in quick on net16 inet from 10.41.2.130 to any no state
pass in quick on net16 inet from 10.41.2.128 - 10.41.2.191 to any no state
pass in quick on net16 inet from 192.168.78.254 to any no state
pass in quick on net16 inet from 10.41.2.128/26 to any no state
pass in quick on net16 inet from 10.1.0.0/16 to any no state
pass in quick on net16 inet from 10.1.1.0/24 to any no state

-- 
You are receiving this mail because:
You are the assignee for the bug.