From 6edf764c6fecd2f244a03489326750becf8654ce Mon Sep 17 00:00:00 2001 From: sashan Date: Mon, 25 Oct 2021 14:50:29 +0000 Subject: [PATCH] - pfctl $nr incorrect macro expansion Issue reported by Kristof Provost from FreeBSD. [ https://reviews.freebsd.org/D32488 ] In order to fix the issue we must delay '$nr' macro expansion after optimizer collapses ruleset. OK kn@ --- sbin/pfctl/parse.y | 21 +++++++++++++-------- sbin/pfctl/pfctl.c | 5 ++++- sbin/pfctl/pfctl_parser.h | 3 ++- 3 files changed, 19 insertions(+), 10 deletions(-) diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 7eb43c38e87..8a92a7e895c 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.710 2021/10/15 15:01:27 naddy Exp $ */ +/* $OpenBSD: parse.y,v 1.711 2021/10/25 14:50:29 sashan Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -358,7 +358,6 @@ void expand_label_addr(const char *, char *, size_t, u_int8_t, void expand_label_port(const char *, char *, size_t, struct node_port *); void expand_label_proto(const char *, char *, size_t, u_int8_t); -void expand_label_nr(const char *, char *, size_t); void expand_label(char *, size_t, const char *, u_int8_t, struct node_host *, struct node_port *, struct node_host *, struct node_port *, u_int8_t); @@ -4196,14 +4195,20 @@ expand_label_proto(const char *name, char *label, size_t len, u_int8_t proto) } void -expand_label_nr(const char *name, char *label, size_t len) +pfctl_expand_label_nr(struct pf_rule *r, unsigned int rno) { char n[11]; - if (strstr(label, name) != NULL) { - snprintf(n, sizeof(n), "%u", pf->anchor->match); - expand_label_str(label, len, name, n); - } + snprintf(n, sizeof(n), "%u", rno); + + if (strstr(r->label, "$nr") != NULL) + expand_label_str(r->label, PF_RULE_LABEL_SIZE, "$nr", n); + + if (strstr(r->tagname, "$nr") != NULL) + expand_label_str(r->tagname, PF_TAG_NAME_SIZE, "$nr", n); + + if (strstr(r->match_tagname, "$nr") != NULL) + expand_label_str(r->match_tagname, PF_TAG_NAME_SIZE, "$nr", n); } void @@ -4218,7 +4223,7 @@ expand_label(char *label, size_t len, const char *ifname, sa_family_t af, expand_label_port("$srcport", label, len, src_port); expand_label_port("$dstport", label, len, dst_port); expand_label_proto("$proto", label, len, proto); - expand_label_nr("$nr", label, len); + /* rule number, '$nr', gets expanded after optimizer */ } int diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index 3441d47aaca..bcd147877b0 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl.c,v 1.383 2020/10/14 19:30:37 naddy Exp $ */ +/* $OpenBSD: pfctl.c,v 1.384 2021/10/25 14:50:29 sashan Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1425,6 +1425,7 @@ pfctl_load_ruleset(struct pfctl *pf, char *path, struct pf_ruleset *rs, struct pf_rule *r; int error, len = strlen(path); int brace = 0; + unsigned int rno = 0; pf->anchor = rs->anchor; @@ -1454,6 +1455,8 @@ pfctl_load_ruleset(struct pfctl *pf, char *path, struct pf_ruleset *rs, while ((r = TAILQ_FIRST(rs->rules.active.ptr)) != NULL) { TAILQ_REMOVE(rs->rules.active.ptr, r, entries); + pfctl_expand_label_nr(r, rno); + rno++; if ((error = pfctl_load_rule(pf, path, r, depth))) goto error; if (r->anchor) { diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h index a82854a0fea..01a61a49d01 100644 --- a/sbin/pfctl/pfctl_parser.h +++ b/sbin/pfctl/pfctl_parser.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl_parser.h,v 1.117 2020/07/21 14:10:51 henning Exp $ */ +/* $OpenBSD: pfctl_parser.h,v 1.118 2021/10/25 14:50:29 sashan Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -248,6 +248,7 @@ void print_queuespec(struct pf_queuespec *); int pfctl_define_table(char *, int, int, const char *, struct pfr_buffer *, u_int32_t); +void pfctl_expand_label_nr(struct pf_rule *, unsigned int); void pfctl_clear_fingerprints(int, int); int pfctl_file_fingerprints(int, int, const char *); -- 2.20.1