Kristof Provost
2021-Apr-16 15:58 UTC
using interface groups in pf tables stopped working in 13.0-RELEASE
On 14 Apr 2021, at 16:16, Peter Ankerst?l wrote:> In pf I use the interface group syntax alot to make the configuration > more readable. All interfaces are assigned to a group representing its > use/vlan name. > > For example: > > ifconfig_igb1_102="172.22.0.1/24 group iot description 'iot vlan' up" > ifconfig_igb1_102_ipv6="inet6 2001:470:de59:22::1/64" > > ifconfig_igb1_300="172.26.0.1/24 group mgmt description 'mgmt vlan? > up" > ifconfig_igb1_300_ipv6="inet6 2001:470:de59:26::1/64? > > in pf.conf I use these group names all over the place. But since I > upgraded to 13.0-RELEASE it no longer works to define a table using > the :network syntax and interface groups: > > table <nat_addresses> const { trusted:network mgmt:network > dmz:network guest:network edmz:network \ > admin:network iot:network client:network } > > If I reload the configuration I get the following: > # pfctl -f /etc/pf.conf > /etc/pf.conf:12: cannot create address buffer: Invalid argument > pfctl: Syntax error in config file: pf rules not loaded >I can reproduce that. It looks like there?s some confusion inside pfctl about the network group. It ends up in pfctl_parser.c, append_addr_host(), and expects an AF_INET or AF_INET6, but instead gets an AF_LINK. It?s probably related to 250994 or possibly d2568b024da283bd2b88a633eecfc9abf240b3d8. Either way it?s pretty deep in a part of the pfctl code I don?t much like. I?ll try to poke at it some more over the weekend. Best regards, Kristof
Kristof Provost
2021-Apr-27 09:07 UTC
using interface groups in pf tables stopped working in 13.0-RELEASE
On 16 Apr 2021, at 17:58, Kristof Provost wrote:> On 14 Apr 2021, at 16:16, Peter Ankerst?l wrote: >> In pf I use the interface group syntax alot to make the configuration >> more readable. All interfaces are assigned to a group representing >> its use/vlan name. >> >> For example: >> >> ifconfig_igb1_102="172.22.0.1/24 group iot description 'iot vlan' up" >> ifconfig_igb1_102_ipv6="inet6 2001:470:de59:22::1/64" >> >> ifconfig_igb1_300="172.26.0.1/24 group mgmt description 'mgmt vlan? >> up" >> ifconfig_igb1_300_ipv6="inet6 2001:470:de59:26::1/64? >> >> in pf.conf I use these group names all over the place. But since I >> upgraded to 13.0-RELEASE it no longer works to define a table using >> the :network syntax and interface groups: >> >> table <nat_addresses> const { trusted:network mgmt:network >> dmz:network guest:network edmz:network \ >> admin:network iot:network client:network } >> >> If I reload the configuration I get the following: >> # pfctl -f /etc/pf.conf >> /etc/pf.conf:12: cannot create address buffer: Invalid argument >> pfctl: Syntax error in config file: pf rules not loaded >> > I can reproduce that. > > It looks like there?s some confusion inside pfctl about the network > group. It ends up in pfctl_parser.c, append_addr_host(), and expects > an AF_INET or AF_INET6, but instead gets an AF_LINK. > > It?s probably related to 250994 or possibly > d2568b024da283bd2b88a633eecfc9abf240b3d8. > Either way it?s pretty deep in a part of the pfctl code I don?t > much like. I?ll try to poke at it some more over the weekend. >It should be fixed as of d5b08e13dd6beb3436e181ff1f3e034cc8186584 in main. I?ll MFC that in about a week, and then it?ll turn up in 13.1 in the fullness of time. Best regards, Kristof