Re: interface modifiers :network and :0 picking different subnets for IPv6

[Paul de Weerd]

Hi Richard,

On Tue, Jan 28, 2020 at 04:42:02PM +1300, richard.n.proc...@gmail.com wrote:
| Does the patch below help?

It does!  Great, thank you!

(tested on my test vm as that has a source tree checked out)

[weerd@test1] $ echo 'block in on vio0 proto { tcp, udp } from vio0:network to 
! vio0:0 port domain' | pfctl -nvf -
block drop in on vio0 inet proto tcp from 192.168.34.0/24 to ! 192.168.34.157 
port = 53
block drop in on vio0 inet proto udp from 192.168.34.0/24 to ! 192.168.34.157 
port = 53
block drop in on vio0 inet6 proto tcp from 2a02:898:28:200::/64 to ! 
fe80::fce1:bbff:fed1:c6d9 port = 53
block drop in on vio0 inet6 proto udp from 2a02:898:28:200::/64 to ! 
fe80::fce1:bbff:fed1:c6d9 port = 53
[weerd@test1] $ echo 'block in on vio0 proto { tcp, udp } from vio0:network to 
! vio0:0 port domain' | obj/pfctl -nvf -
block drop in on vio0 inet proto tcp from 192.168.34.0/24 to ! 192.168.34.157 
port = 53
block drop in on vio0 inet proto udp from 192.168.34.0/24 to ! 192.168.34.157 
port = 53
block drop in on vio0 inet6 proto tcp from 2a02:898:28:200::/64 to ! 
2a02:898:28:200:4706:3e7a:afb9:5137 port = 53
block drop in on vio0 inet6 proto udp from 2a02:898:28:200::/64 to ! 
2a02:898:28:200:4706:3e7a:afb9:5137 port = 53

Looks great and would be perfect to have in I think.  One rule to
concisely describe the behaviour I want :)

Thanks again!

Paul

| I think you have found an oversight in the original implementation of 
| ':0', which defines a non-alias as the first defined address (of the given 
| address family) [0]. The patch makes ':0' skip link-local addresses, 
| matching the behaviour of ':network'.
| 
| best, 
| Richard. 
| 
| [0] sbin/pfctl/pfctl_parser.c 1.186 ifa_lookup()
| 
| Index: sbin/pfctl/pfctl_parser.c
| ===================================================================
| RCS file: /cvs/src/sbin/pfctl/pfctl_parser.c,v
| retrieving revision 1.342
| diff -u -p -u -p -r1.342 pfctl_parser.c
| --- sbin/pfctl/pfctl_parser.c 17 Oct 2019 21:54:28 -0000      1.342
| +++ sbin/pfctl/pfctl_parser.c 28 Jan 2020 03:11:27 -0000
| @@ -1546,6 +1546,8 @@ ifa_lookup(const char *ifa_name, int fla
|                       continue;
|               if ((flags & PFI_AFLAG_NETWORK) && p->ifindex > 0)
|                       continue;
| +             if ((flags & PFI_AFLAG_NOALIAS) && p->ifindex > 0)
| +                     continue;
|               if (last_if == NULL || strcmp(last_if, p->ifname))
|                       got4 = got6 = 0;
|               last_if = p->ifname;

-- 
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
                 http://www.weirdnet.nl/