** moving from misc@ to tech@, reply-to is set to tech@ **
Harald Dunkel <harald.dun...@aixigo.de> wrote:
> If I add "antispoof quick for self" to my pf.conf to enable
> antispoofing on all interfaces, then I get these additional
> rules:
>
> block drop in quick on ! self inet from <__automatic_3df3184e_0> to any
> block drop in quick on ! self inet6 from ::1 to any
> block drop in quick inet6 from ::1 to any
> block drop in quick on lo0 inet6 from fe80::1 to any
> block drop in quick on em0 inet6 from fe80::260:e0ff:fe4b:d2ec to any
> block drop in quick on em1 inet6 from fe80::260:e0ff:fe4b:d2ed to any
> block drop in quick on em5 inet6 from fe80::260:e0ff:fe4b:d2f1 to any
> block drop in quick on em6 inet6 from fe80::260:e0ff:fe4b:d2f2 to any
> block drop in quick on carp0 inet6 from fe80::200:5eff:fe00:10a to any
> block drop in quick on carp1 inet6 from fe80::200:5eff:fe00:107 to any
> block drop in quick on carp5 inet6 from fe80::200:5eff:fe00:111 to any
> block drop in quick inet from <__automatic_3df3184e_1> to any
>
> The automatic tables contain the local networks and the local
> IP addresses, including carp interfaces.
>
> I am not sure about the "on ! self". Ain't this a contradiction
> in terms?
>
> Sorry for asking, but "self" is just very briefly described on
> pf.conf(5). Any helpful comment would be highly appreciated.
Using "self" to represent all addresses on the system is only
valid in a context where an IP address would be used (refer to
the BNF at the bottom of pf.conf(5) which is probably the best
guide to the file format; "self" is used in hosts and tableaddr).
The antispoof keyword accepts the name of an interface or an
interface group, so in this case it is being interpreted as
an interface group. However (unless you have created it)
there is no actual group named "self".
And actually, even if a group of that name exists, antispoof doesn't
behave correctly unless the group only contains a single interface.
I think it would have to expand groups at config-load time to the set
of interfaces in that group e.g. treat 'antispoof for somegroup' as
if you wrote 'antispoof for em0', 'antispoof for em1', etc. for each
member of the group.
As a discussion point this diff (not intended to commit as-is)
prevents groups/"self" from being used in antispoof, but it's a bit
unpleasant for anyone who uses "antispoof for egress" with a single
interface in the egress group, which is treated sanely without this
diff.
Index: parse.y
===================================================================
RCS file: /cvs/src/sbin/pfctl/parse.y,v
retrieving revision 1.597
diff -u -p -r1.597 parse.y
--- parse.y 31 Dec 2010 12:15:31 -0000 1.597
+++ parse.y 4 Feb 2011 11:59:09 -0000
@@ -1083,7 +1083,7 @@ antispoof : ANTISPOOF logquick antispoof
h->addr.iflags = PFI_AFLAG_NETWORK;
} else {
h = ifa_lookup(j->ifname,
- PFI_AFLAG_NETWORK);
+ PFI_AFLAG_NETWORK, 0);
hh = NULL;
}
@@ -1107,7 +1107,7 @@ antispoof : ANTISPOOF logquick antispoof
if (hh != NULL)
h = hh;
else
- h = ifa_lookup(i->ifname, 0);
+ h = ifa_lookup(i->ifname, 0, 0);
if (h != NULL)
expand_rule(&r, 0, NULL, NULL,
NULL, NULL, NULL, NULL, h,
Index: pfctl_parser.c
===================================================================
RCS file: /cvs/src/sbin/pfctl/pfctl_parser.c,v
retrieving revision 1.273
diff -u -p -r1.273 pfctl_parser.c
--- pfctl_parser.c 23 Jan 2011 11:19:55 -0000 1.273
+++ pfctl_parser.c 4 Feb 2011 11:59:09 -0000
@@ -1318,7 +1318,7 @@ ifa_grouplookup(const char *ifa_name, in
for (ifg = ifgr.ifgr_groups; ifg && len >= sizeof(struct ifg_req);
ifg++) {
len -= sizeof(struct ifg_req);
- if ((n = ifa_lookup(ifg->ifgrq_member, flags)) == NULL)
+ if ((n = ifa_lookup(ifg->ifgrq_member, flags, 1)) == NULL)
continue;
if (h == NULL)
h = n;
@@ -1334,16 +1334,16 @@ ifa_grouplookup(const char *ifa_name, in
}
struct node_host *
-ifa_lookup(const char *ifa_name, int flags)
+ifa_lookup(const char *ifa_name, int flags, int allow_group)
{
struct node_host *p = NULL, *h = NULL, *n = NULL;
int got4 = 0, got6 = 0;
const char *last_if = NULL;
- if ((h = ifa_grouplookup(ifa_name, flags)) != NULL)
+ if (allow_group && (h = ifa_grouplookup(ifa_name, flags)) != NULL)
return (h);
- if (!strncmp(ifa_name, "self", IFNAMSIZ))
+ if (allow_group && !strncmp(ifa_name, "self", IFNAMSIZ))
ifa_name = NULL;
if (iftab == NULL)
@@ -1536,7 +1536,7 @@ host_if(const char *s, int mask)
}
if (ifa_exists(ps) || !strncmp(ps, "self", IFNAMSIZ)) {
/* interface with this name exists */
- h = ifa_lookup(ps, flags);
+ h = ifa_lookup(ps, flags, 1);
for (n = h; n != NULL && mask > -1; n = n->next)
set_ipmask(n, mask);
}
Index: pfctl_parser.h
===================================================================
RCS file: /cvs/src/sbin/pfctl/pfctl_parser.h,v
retrieving revision 1.94
diff -u -p -r1.94 pfctl_parser.h
--- pfctl_parser.h 25 Jun 2010 23:27:47 -0000 1.94
+++ pfctl_parser.h 4 Feb 2011 11:59:09 -0000
@@ -270,7 +270,7 @@ int check_netmask(struct node_host *,
int unmask(struct pf_addr *, sa_family_t);
void ifa_load(void);
struct node_host *ifa_exists(const char *);
-struct node_host *ifa_lookup(const char *, int);
+struct node_host *ifa_lookup(const char *, int, int);
struct node_host *host(const char *);
int append_addr(struct pfr_buffer *, char *, int);
