- pfctl $nr incorrect macro expansion

Issue reported by Kristof Provost from FreeBSD.
[ https://reviews.freebsd.org/D32488 ]

In order to fix the issue we must delay '$nr' macro
expansion after optimizer collapses ruleset.

OK kn@

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 7eb43c3..8a92a7e 100644 (file)
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/*     $OpenBSD: parse.y,v 1.710 2021/10/15 15:01:27 naddy Exp $       */
+/*     $OpenBSD: parse.y,v 1.711 2021/10/25 14:50:29 sashan Exp $      */
 
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -358,7 +358,6 @@ void                 expand_label_addr(const char *, char *, size_t, u_int8_t,
 void            expand_label_port(const char *, char *, size_t,
                    struct node_port *);
 void            expand_label_proto(const char *, char *, size_t, u_int8_t);
-void            expand_label_nr(const char *, char *, size_t);
 void            expand_label(char *, size_t, const char *, u_int8_t,
                    struct node_host *, struct node_port *, struct node_host *,
                    struct node_port *, u_int8_t);
@@ -4196,14 +4195,20 @@ expand_label_proto(const char *name, char *label, size_t len, u_int8_t proto)
 }
 
 void
-expand_label_nr(const char *name, char *label, size_t len)
+pfctl_expand_label_nr(struct pf_rule *r, unsigned int rno)
 {
        char n[11];
 
-       if (strstr(label, name) != NULL) {
-               snprintf(n, sizeof(n), "%u", pf->anchor->match);
-               expand_label_str(label, len, name, n);
-       }
+       snprintf(n, sizeof(n), "%u", rno);
+
+       if (strstr(r->label, "$nr") != NULL)
+               expand_label_str(r->label, PF_RULE_LABEL_SIZE, "$nr", n);
+
+       if (strstr(r->tagname, "$nr") != NULL)
+               expand_label_str(r->tagname, PF_TAG_NAME_SIZE, "$nr", n);
+
+       if (strstr(r->match_tagname, "$nr") != NULL)
+               expand_label_str(r->match_tagname, PF_TAG_NAME_SIZE, "$nr", n);
 }
 
 void
@@ -4218,7 +4223,7 @@ expand_label(char *label, size_t len, const char *ifname, sa_family_t af,
        expand_label_port("$srcport", label, len, src_port);
        expand_label_port("$dstport", label, len, dst_port);
        expand_label_proto("$proto", label, len, proto);
-       expand_label_nr("$nr", label, len);
+       /* rule number, '$nr', gets expanded after optimizer */
 }
 
 int

diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index 3441d47..bcd1478 100644 (file)
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: pfctl.c,v 1.383 2020/10/14 19:30:37 naddy Exp $ */
+/*     $OpenBSD: pfctl.c,v 1.384 2021/10/25 14:50:29 sashan Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -1425,6 +1425,7 @@ pfctl_load_ruleset(struct pfctl *pf, char *path, struct pf_ruleset *rs,
        struct pf_rule *r;
        int             error, len = strlen(path);
        int             brace = 0;
+       unsigned int    rno = 0;
 
        pf->anchor = rs->anchor;
 
@@ -1454,6 +1455,8 @@ pfctl_load_ruleset(struct pfctl *pf, char *path, struct pf_ruleset *rs,
 
        while ((r = TAILQ_FIRST(rs->rules.active.ptr)) != NULL) {
                TAILQ_REMOVE(rs->rules.active.ptr, r, entries);
+               pfctl_expand_label_nr(r, rno);
+               rno++;
                if ((error = pfctl_load_rule(pf, path, r, depth)))
                        goto error;
                if (r->anchor) {

diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h
index a82854a..01a61a4 100644 (file)
--- a/sbin/pfctl/pfctl_parser.h
+++ b/sbin/pfctl/pfctl_parser.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: pfctl_parser.h,v 1.117 2020/07/21 14:10:51 henning Exp $ */
+/*     $OpenBSD: pfctl_parser.h,v 1.118 2021/10/25 14:50:29 sashan Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -248,6 +248,7 @@ void        print_queuespec(struct pf_queuespec *);
 
 int    pfctl_define_table(char *, int, int, const char *, struct pfr_buffer *,
            u_int32_t);
+void   pfctl_expand_label_nr(struct pf_rule *, unsigned int);
 
 void            pfctl_clear_fingerprints(int, int);
 int             pfctl_file_fingerprints(int, int, const char *);