Re: git: 5c11c5a36558 - main - pfctl: Move to DIOCADDRULENV

Sat, 24 Apr 2021 05:13:05 -0700 

On 10.04.21 11:16, Kristof Provost wrote:

The branch main has been updated by kp:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=5c11c5a3655842a176124ef2334fcdf830422c8a

commit 5c11c5a3655842a176124ef2334fcdf830422c8a
Author:     Kristof Provost <k...@freebsd.org>
AuthorDate: 2021-03-12 17:03:14 +0000
Commit:     Kristof Provost <k...@freebsd.org>
CommitDate: 2021-04-10 09:16:01 +0000

     pfctl: Move to DIOCADDRULENV
Start using the new nvlist based ioctl to add rules. MFC after: 4 weeks 
     Sponsored by:   Rubicon Communications, LLC ("Netgate")
     Differential Revision:  https://reviews.freebsd.org/D29558


Hi Kristof,
this commit breaks my previously working rule set. Using a pfctl from before this commit works with a kernel from yesterdays sources.
This is the smallest rule set I could come up with. It doesn't matter whether I use macros in the list or not. The int_if stuff is only there to not lock myself out of the system. 

It looks like lists with more than 5 IPv6 host or 6 v4 hosts don't work.

int_if="em0"
set skip on $int_if

# not working with pfctl after 5c11c5a3655842a176124ef2334fcdf830422c8a
# each one of the rules below causes "pfctl: DIOCADDRULENV: Invalid argument" on its own pass in proto tcp to { fd01::1, fd01::2, fd01::3, fd01::4, fd01::5, fd01::6 } port ssh pass in proto tcp to { 192.168.0.1, 192.168.0.2, 192.168.0.4, 192.168.0.4, 192.168.0.5, 192.168.0.6, 192.168.0.7 } port ssh 

# working fine with pfctl after 5c11c5a3655842a176124ef2334fcdf830422c8a
pass in proto tcp to { fd01::1, fd01::2, fd01::3, fd01::4, fd01::5 } port ssh pass in proto tcp to { 192.168.0.1, 192.168.0.2, 192.168.0.4, 192.168.0.4, 192.168.0.5, 192.168.0.6 } port ssh
Another interesting point is the following rules work with -o none, but not with -o basic, which I guess points to list or maybe table handling? 

pass in proto tcp to 192.168.0.1 port ssh
pass in proto tcp to 192.168.0.2 port ssh
pass in proto tcp to 192.168.0.3 port ssh
pass in proto tcp to 192.168.0.4 port ssh
pass in proto tcp to 192.168.0.5 port ssh
pass in proto tcp to 192.168.0.6 port ssh
pass in proto tcp to 192.168.0.7 port ssh
I think you should be able to reproduce this easily, if you need anything else, please let me know. 

Thanks,
Florian

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

Reply via email to