Re: misc/56990: npf: `ruleset` line in npf.conf does not behave as expected following a `block all` line

To: misc-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,hopkinsza%gmail.com@localhost
Subject: Re: misc/56990: npf: `ruleset` line in npf.conf does not behave as expected following a `block all` line
From: mlelstv%serpens.de@localhost (Michael van Elst)
Date: Fri, 2 Sep 2022 12:50:02 +0000 (UTC)

The following reply was made to PR misc/56990; it has been noted by GNATS.

From: mlelstv%serpens.de@localhost (Michael van Elst)
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: misc/56990: npf: `ruleset` line in npf.conf does not behave as expected following a `block all` line
Date: Fri, 2 Sep 2022 12:46:20 -0000 (UTC)

 hopkinsza%gmail.com@localhost writes:
 
 >>How-To-Repeat:
 ># echo '
 >alg "icmp"
 >group "filtered" on lo0 {
 >    block all
 >    ruleset "test"
 >    pass all
 >}
 >group default {
 >    pass all
 >}
 >' >/etc/ntp.conf
 
 The processing is done in npf_ruleset_inspect().
 
 npf debug -c npf.conf gives:
 ...
 rules (NVLIST ARRAY): 6
     attr (NUMBER): 805306370 (805306370) (0x30000002)
     name (STRING): [filtered]
     ifname (STRING): [lo0]
     prio (NUMBER): 18446744073709551615 (-1) (0xffffffffffffffff)
     skip-to (NUMBER): 4 (4) (0x4)
     ,
     attr (NUMBER): 805306368 (805306368) (0x30000000)
     prio (NUMBER): 18446744073709551615 (-1) (0xffffffffffffffff)
     ,
     attr (NUMBER): 805306434 (805306434) (0x30000042)
     name (STRING): [test]
     prio (NUMBER): 18446744073709551615 (-1) (0xffffffffffffffff)
     ,
     attr (NUMBER): 805306369 (805306369) (0x30000001)
     prio (NUMBER): 18446744073709551615 (-1) (0xffffffffffffffff)
     ,
     attr (NUMBER): 805306370 (805306370) (0x30000002)
     prio (NUMBER): 18446744073709551615 (-1) (0xffffffffffffffff)
     skip-to (NUMBER): 6 (6) (0x6)
     ,
     attr (NUMBER): 805306369 (805306369) (0x30000001)
     prio (NUMBER): 18446744073709551615 (-1) (0xffffffffffffffff)
 
 Slightly transliterated:
 
 1: GROUP inout (name="filtered", ifname="lo0", prio=-1, skip-to=4)
 -> if this matches (interface) continue else goto rule 4
 
 2: BLOCK inout (prio=-1)
 -> set result to BLOCK but continue
 
 3: DYNAMIC_GROUP inout (name="test", prio=-1)
 -> a DYNAMIC_GROUP is also a GROUP and we already have a result, just exit
 
 4: PASS inout (prio=-1)
 5: GROUP inout (prio=-1, skip-to=6)
 6: PASS inout (prio=-1)
 
 When you move DYNAMIC_GROUP to position 2, it is actually
 evaluated as there is no result yet.
 
 
 The bug is that evaluation of a ruleset exits when seeing any GROUP
 rule. A regular GROUP rule is the start of the next ruleset, aborting
 here if you have a result is correct.
 But a DYNAMIC_GROUP (== evaluation of another "sub"-ruleset) should
 not be a barrier for evaluation.

Prev by Date: misc/56990: npf: `ruleset` line in npf.conf does not behave as expected following a `block all` line
Next by Date: NetBSD Nightly Trouble Ticket Report
Previous by Thread: misc/56990: npf: `ruleset` line in npf.conf does not behave as expected following a `block all` line
Next by Thread: Re: misc/56990: npf: `ruleset` line in npf.conf does not behave as expected following a `block all` line
Indexes:

Home | Main Index | Thread Index | Old Index