Hello,
looks like it works as expected on OpenBSD current:
lumpy# pfctl -sr
pass quick on lo0 inet6 from ::1 to ::1 flags S/SA label "ruleNo: 0"
pass quick on lo0 inet from 127.0.0.0/8 to 127.0.0.0/8 flags S/SA label
"ruleNo: 1"
block drop quick all label "ruleNo: 2"
lumpy# pfctl -sr -vvv
@0 pass quick on lo0 inet6 from ::1 to ::1 flags S/SA label "ruleNo: 0"
[ Evaluations: 1451 Packets: 0 Bytes: 0 States: 0
]
[ Inserted: uid 0 pid 51504 State Creations: 0 ]
@1 pass quick on lo0 inet from 127.0.0.0/8 to 127.0.0.0/8 flags S/SA label
"ruleNo: 1"
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0
]
[ Inserted: uid 0 pid 51504 State Creations: 0 ]
@2 block drop quick all label "ruleNo: 2"
[ Evaluations: 1451 Packets: 1451 Bytes: 118304 States: 0
]
[ Inserted: uid 0 pid 51504 State Creations: 0 ]
anyway, thank you for reaching bugs@openbsd.org
regards
sashan
On Fri, Oct 15, 2021 at 03:16:08PM +0200, Kristof Provost wrote:
> Hi,
>
> I’ve had a bug report against FreeBSD’s pfctl which I think also applies to
> OpenBSD.
>
> The gist of it is that the macro expansion in labels/tags is done prior to
> the rule optimisation, which means that at least the $nr expansion can be
> wrong.
>
> I’ve proposed this fix in FreeBSD:https://reviews.freebsd.org/D32488
> It essentially just moves the label expansion so it’s done after the
> optimisation step.
>
> Here’s my test case:https://reviews.freebsd.org/D32489
>
> Best regards,
> Kristof
>
