using interface groups in pf tables stopped working in 13.0-RELEASE
Kristof Provost
kp at FreeBSD.org
Fri Apr 16 15:58:33 UTC 2021
On 14 Apr 2021, at 16:16, Peter Ankerstål wrote:
> In pf I use the interface group syntax alot to make the configuration
> more readable. All interfaces are assigned to a group representing its
> use/vlan name.
>
> For example:
>
> ifconfig_igb1_102="172.22.0.1/24 group iot description 'iot vlan' up"
> ifconfig_igb1_102_ipv6="inet6 2001:470:de59:22::1/64"
>
> ifconfig_igb1_300="172.26.0.1/24 group mgmt description 'mgmt vlan’
> up"
> ifconfig_igb1_300_ipv6="inet6 2001:470:de59:26::1/64”
>
> in pf.conf I use these group names all over the place. But since I
> upgraded to 13.0-RELEASE it no longer works to define a table using
> the :network syntax and interface groups:
>
> table <nat_addresses> const { trusted:network mgmt:network
> dmz:network guest:network edmz:network \
> admin:network iot:network client:network }
>
> If I reload the configuration I get the following:
> # pfctl -f /etc/pf.conf
> /etc/pf.conf:12: cannot create address buffer: Invalid argument
> pfctl: Syntax error in config file: pf rules not loaded
>
I can reproduce that.
It looks like there’s some confusion inside pfctl about the network
group. It ends up in pfctl_parser.c, append_addr_host(), and expects an
AF_INET or AF_INET6, but instead gets an AF_LINK.
It’s probably related to 250994 or possibly
d2568b024da283bd2b88a633eecfc9abf240b3d8.
Either way it’s pretty deep in a part of the pfctl code I don’t much
like. I’ll try to poke at it some more over the weekend.
Best regards,
Kristof
More information about the freebsd-stable
mailing list