git: 5c11c5a36558 - main - pfctl: Move to DIOCADDRULENV

Florian Smeets flo at smeets.xyz
Sat Apr 24 12:12:59 UTC 2021 

On 10.04.21 11:16, Kristof Provost wrote:
> The branch main has been updated by kp:
> 
> URL: https://cgit.FreeBSD.org/src/commit/?id=5c11c5a3655842a176124ef2334fcdf830422c8a
> 
> commit 5c11c5a3655842a176124ef2334fcdf830422c8a
> Author:     Kristof Provost <kp at FreeBSD.org>
> AuthorDate: 2021-03-12 17:03:14 +0000
> Commit:     Kristof Provost <kp at FreeBSD.org>
> CommitDate: 2021-04-10 09:16:01 +0000
> 
>      pfctl: Move to DIOCADDRULENV
>      
>      Start using the new nvlist based ioctl to add rules.
>      
>      MFC after:      4 weeks
>      Sponsored by:   Rubicon Communications, LLC ("Netgate")
>      Differential Revision:  https://reviews.freebsd.org/D29558

Hi Kristof,

this commit breaks my previously working rule set. Using a pfctl from 
before this commit works with a kernel from yesterdays sources.

This is the smallest rule set I could come up with. It doesn't matter 
whether I use macros in the list or not. The int_if stuff is only there 
to not lock myself out of the system.

It looks like lists with more than 5 IPv6 host or 6 v4 hosts don't work.

int_if="em0"
set skip on $int_if

# not working with pfctl after 5c11c5a3655842a176124ef2334fcdf830422c8a
# each one of the rules below causes "pfctl: DIOCADDRULENV: Invalid 
argument" on its own
pass in proto tcp to { fd01::1, fd01::2, fd01::3, fd01::4, fd01::5, 
fd01::6 } port ssh
pass in proto tcp to { 192.168.0.1, 192.168.0.2, 192.168.0.4, 
192.168.0.4, 192.168.0.5, 192.168.0.6, 192.168.0.7 } port ssh

# working fine with pfctl after 5c11c5a3655842a176124ef2334fcdf830422c8a
pass in proto tcp to { fd01::1, fd01::2, fd01::3, fd01::4, fd01::5 } 
port ssh
pass in proto tcp to { 192.168.0.1, 192.168.0.2, 192.168.0.4, 
192.168.0.4, 192.168.0.5, 192.168.0.6 } port ssh

Another interesting point is the following rules work with -o none, but 
not with -o basic, which I guess points to list or maybe table handling?

pass in proto tcp to 192.168.0.1 port ssh
pass in proto tcp to 192.168.0.2 port ssh
pass in proto tcp to 192.168.0.3 port ssh
pass in proto tcp to 192.168.0.4 port ssh
pass in proto tcp to 192.168.0.5 port ssh
pass in proto tcp to 192.168.0.6 port ssh
pass in proto tcp to 192.168.0.7 port ssh

I think you should be able to reproduce this easily, if you need 
anything else, please let me know.

Thanks,
Florian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/dev-commits-src-main/attachments/20210424/1c7039aa/attachment.sig>

More information about the dev-commits-src-main mailing list