Re: pf label $nr macro expand reproducable bug
Date: Wed, 22 Sep 2021 09:47:50 UTC
Hi Kristof,
I tried many things and I found the real problem to reproduce the bug.
Tested with the latest stable/12.
And also tested with Live CD without installing
(https://download.freebsd.org/ftp/snapshots/ISO-IMAGES/12.2/FreeBSD-12.2-STABLE-amd64-20210916-r370608-disc1.iso).
The result is same.
My determination is the problem in the rule optimizer of pf. You can
see the difference with / without ruleset optimization.
Without ruleset optimization, $nr macro expanding is true. otherwise false.
if the interface used in the rule, have multiple IP addresses that
rule optimizer removes lines then the rule number expanding fails. ie:
# cat pf.conf
pass quick on lo from lo:network to lo:network
pass quick all label "ruleNo:$nr"
# ifconfig lo0 inet 127.0.0.2/32 alias
# ifconfig lo0
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
inet 127.0.0.1 netmask 0xff000000
inet 127.0.0.2 netmask 0xffffffff
groups: lo extra
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
# pfctl -f pf.conf
# pfctl -sr -vvv
@0 pass quick on lo inet6 from ::1 to ::1 flags S/SA keep state
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 3694 State Creations: 0 ]
@1 pass quick on lo inet from 127.0.0.0/8 to 127.0.0.0/8 flags S/SA keep state
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 3694 State Creations: 0 ]
@2 pass quick all flags S/SA keep state label "ruleNo:5"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 3694 State Creations: 0 ]
# pfctl -o none -f /antikor/etc/pf/x.conf
# pfctl -sr -vvv
@0 pass quick on lo0 inet6 from ::1 to ::1 flags S/SA keep state
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 5959 State Creations: 0 ]
@1 pass quick on lo0 inet from 127.0.0.0/8 to 127.0.0.0/8 flags S/SA keep state
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 5959 State Creations: 0 ]
@2 pass quick on lo0 inet from 127.0.0.0/8 to 127.0.0.2 flags S/SA keep state
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 5959 State Creations: 0 ]
@3 pass quick on lo0 inet from 127.0.0.2 to 127.0.0.0/8 flags S/SA keep state
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 5959 State Creations: 0 ]
@4 pass quick on lo0 inet from 127.0.0.2 to 127.0.0.2 flags S/SA keep state
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 5959 State Creations: 0 ]
@5 pass quick all flags S/SA keep state label "ruleNo:5"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 5959 State Creations: 0 ]
Thank you
On Sat, Sep 18, 2021 at 11:10 AM Kristof Provost <kp@freebsd.org> wrote:
>
> On 15 Sep 2021, at 9:43, Özkan KIRIK wrote:
> > I'm using FreeBSD stable/12.
> > I've tested this situation on stable/12 both 0f97f2a1857a (Jul 26
> > 2021) and ebb3327d09ce (Sep 14) build.
> >
> > label $nr macro is works as expected for most of rules. But with the
> > example below $nr macro was expanded incorrectly. Outputs are below.
> >
> > If you need, I can open a PR.
> >
> > # ifconfig -g lo
> > lo0
> >
> > Experiment #1: The right output should be "ruleNo:2", but system
> > expands as "ruleNo:257".
> >
> I can’t reproduce this, either on main or on stable/12.
>
> Br,
> Kristof