On 25 Oct 2021, at 17:06, Alexandr Nedvedicky wrote: > Hello, > > On Fri, Oct 22, 2021 at 02:47:07PM +0200, Kristof Provost wrote: >> On 21 Oct 2021, at 20:33, Alexandr Nedvedicky wrote: >>> Hello, >>> >>>> I’ve had a bug report against FreeBSD’s pfctl which I think also applies >>>> to OpenBSD. >>>> >>>> The gist of it is that the macro expansion in labels/tags is done prior to >>>> the rule optimisation, which means that at least the $nr expansion can be >>>> wrong. >>> >>> I agree OpenBSD suffers from the same issue. Below is a diff for >>> OpenBSD. >>> The FreeBSD diff, which we got from Kristof, merged with rejects. While >>> dealing with them, I came with slightly different version of the fix, >>> which >>> minimizes diff. >>> >> I’d initially gone that route as well, but decided I wanted all of the macro >> expansions to be done at the same time. In part to keep things simple, but >> also because I wasn’t 100% sure the rule number one would be the only one >> with issues. For example, if the optimiser decides to merge rules because it >> can merge address ranges $srcaddr or $dstaddr might end up being wrong. > > Klemens (kn@...) and I poked into it for a bit and it looks like optimizer > won't attempt to merge rules, which have a label. > That is correct, but macros can also occur in tagname and match_tagname, which will not stop the optimiser from merging rules.
Best regards, Kristof
