The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=116eabaa0b5df490be19715fc032affbcda3f016
commit 116eabaa0b5df490be19715fc032affbcda3f016
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-07-07 09:40:49 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2025-07-12 09:57:52 +0000
pf: when calculating the ruleset's checksum, skip automatic table names.
the checksum is exclusively used for pfsync to verify rulesets are identical
on all nodes. the automatic table names are random and have a near zero
chance to match. found at a customer in zurich
ok sashan kn
Obtained from: OpenBSD, henning <henn...@openbsd.org>, 7f1a6fd2a8
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/netpfil/pf/pf_ioctl.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index c96741023db9..c14211edf10f 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -1274,7 +1274,9 @@ pf_hash_rule_addr(MD5_CTX *ctx, struct pf_rule_addr *pfr)
PF_MD5_UPD(pfr, addr.iflags);
break;
case PF_ADDR_TABLE:
- PF_MD5_UPD(pfr, addr.v.tblname);
+ if (strncmp(pfr->addr.v.tblname, PF_OPTIMIZER_TABLE_PFX,
+ strlen(PF_OPTIMIZER_TABLE_PFX)))
+ PF_MD5_UPD(pfr, addr.v.tblname);
break;
case PF_ADDR_ADDRMASK:
/* XXX ignore af? */
